The second largest nonprofit hospital chain in the United States has confirmed that it has fallen victim to a ransomware attack. The cyberattack has caused IT outages for over a week at facilities across the country. At one of the facilities, an emergency room nurse was so overwhelmed with the patient load that she called 911 and asked for help. Two area firefighters responded to the plea and worked in the emergency room for about an hour and a half until the situation was under control.
The hospital chain said that upon discovering the ransomware attack they took immediate steps to protect their systems, contain the incident, begin an investigation, and ensure continuity of care. They said their facilities were following existing protocols for system outages, which includes taking certain systems offline, such as electronic health records. In addition, they are taking steps to mitigate the disruption and maintain continuity of care.
The hospital chain said they also engaged cybersecurity specialists to further assist and support their team in the investigation and response process, and they notified law enforcement. They said they are continuing to conduct a thorough forensics investigation and review of their systems and will also seek to determine if there are any data impacts as part of that process.
Issue:
The healthcare sector is one of the largest victims of ransomware due to its vulnerability to breach of confidentiality and the critical nature of online patient records. The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that covered entities and their business associates conduct a risk assessment of their healthcare organization. The HIPAA Security Rule requires implementation of security measures that can help prevent the introduction of malware, including ransomware. It is imperative that all nursing facilities become proactive in preventing ransomware attacks to avoid data breaches which are reportable in terms of HIPAA requirements.
Discussion Points:
- Review policies and procedures related to HIPAA, PHI, the Privacy Rule, and data integrity. Ensure that they address how to avoid falling prey to security breach efforts by unauthorized individuals, and how to guard against and detect malicious software. Update as new information becomes available.
- Train appropriate staff on HIPAA, PHI, and the Privacy Rule, including how to avoid phishing schemes, malware exposures, unauthorized release of PHI, and how to detect malicious software and report such detections. Provide additional training at least annually and when new threats and security information become known. Document that these trainings occurred, and file the signed training document in each employee’s education file.
- Periodically audit to ensure that staff are adhering to data integrity security measures, and to ensure that the facility’s policies and procedures for HIPAA, PHI, and privacy are being followed.