We often think of HIPAA security as an administrative issue. Or an IT problem.
It’s also a public health issue: Cyberattacks can impact patient care.
For example, an Alabama hospital was hit with ransomware during Summer 2019, causing downtime to information systems. During this time, a pregnant mother was admitted to give birth. The infant died – and the mother is suing. The mother claims: due to the ransomware, the number of medical professionals was reduced; safety measures were reduced; and the pen and paper system of managing patients was inadequate. The mother alleges that the hospital did not inform her of the ransomware attack or its limitations on the hospital. Text messages suggest that the chief OB-GYN not aware of the mother’s condition – and if she was, she would have recommended a C-section (which was not performed). The lawsuit is still pending, so we don’t know the outcome yet – but this case certainly raises concerns about the potential impact of ransomware in healthcare. Concerns about the human cost of ransomware are exacerbated by the pandemic.
Lessons from UVM
“We should stop pretending that there is no harm to human life from cyber attacks,” - Josh Corman, senior adviser to CISA
Recently, CISA looked at data surrounding the ransomware attack at the University of Vermont Medical Center (UVM) in October 2020. The attack began when an employee took a laptop on vacation and opened a hacked personal email from his homeowners’ association. When the employee returned to work on October 28, malware infected the entire network. The attack caused EHR downtime. The Vermont National Guard cybersecurity team was brought in to help restore systems after the attack, and the EHR system was not restored until November 23rd. The attack cost UVM upwards of $63 million (insurance covers $30 million). The data showed that, during UVM’s ransomware attack, there were more deaths. Corman said: “Water is wet, fire is hot, and we can now tell that cyber disruption introduces degraded or delayed patient care.”
There is limited data on this subject and more research is needed – but Corman’s take on what happened in Vermont bodes heeding. Healthcare providers have been dealing with COVID-19 for more than two years and the healthcare system is once again strained to the limit. Beds are filling up again, and workers are infected or exposed to COVID-19. In St. Louis, many hospitals have delayed elective procedures in order to focus on treating COVID-19 patients, a scenario occurring in other cities across the country. Nursing homes are closing entire wings because they simply don’t have the staff. Using Department of Labor data, Modern Healthcare is reporting that nursing homes have seen a 241% decrease in employment between January 2020 and December 2021.
In this environment, a ransomware attack could have very dire consequences.
HIPAA security is always a public health issue – and even more so during a pandemic surge. Keep your organization running smoothly by maintaining your HIPAA Security Risk Analysis and security management plan. Like all public health issues, HIPAA security deserves to be a top priority.
Keep HIPAA at the top of your risk management plan:
- Include your HIPAA Privacy and Security Officers on your compliance committee and your quality assurance committee.
- Include HIPAA updates in regular reports to leadership and the Board.
- Make sure HIPAA has support in your budget.
- Conduct a HIPAA Security Risk Analysis at least annually – and update it frequently.
- Use your Security Risk Analysis to create a management plan – and implement every action item in your management plan.
- Train your workforce on HIPAA at hire, annually, and frequently in between with security reminders.
- Read your security reports: who is identifying potential threats? Does your organization have a strong plan to identify and stop malicious attacks?
- The Cybersecurity and Infrastructure Security Agency (CISA) provides timely information and alerts on current security issues or vulnerabilities. Subscribe to receive these updates by email.