Ransomware: Preparing for the Storm That’s A Brewin’

On July 11, 2016, the Office for Civil Rights (“OCR”) published guidelines for ransomware attack prevention and recovery, including the role HIPAA has in assisting covered entities and business associates to prevent and recover from such attacks, and how HIPAA breach notification processes should be managed in response to a ransomware attack. According to the OCR report, there have been 4,000 daily ransomware attacks since early 2016, up 300% from 2015. Earlier this week a healthcare IT Security Consultant told me the chatter he hears is that the hackers out there are working on stronger, more aggressive, more deadly hacks to unleash, and he fears a hacking storm a brewin’. Time to get serious and batten down the hatches, folks!

8-3The OCR report describes what a ransomware attack is, and explains that maintaining strict HIPAA Security Rule compliance can help prevent the introduction of malware, including ransomware. Some of the required security measures discussed include:

  • Implementing a security management process, which includes conducting a risk analysis and taking steps to mitigate or remediate identified threats and vulnerabilities;
  • Implementing processes to guard against and detect malicious software;
  • Training users on malicious software protection; and
  • Implementing access controls.

Since ransomware  gets into your system and then ties up your data, denying you access to your data (usually through encryption), and then directs you to pay a ransom to the hacker in order to receive a decryption key, maintaining frequent backups and ensuring the ability to recover data from backups is crucial to recovering from a ransomware attack. Again, HIPAA compliance protects entities because the Security Rule requires covered entities and business associates to implement a data backup plan as part of maintaining an overall contingency plan, which includes periodic testing of the plan to be sure it works.

The presence of ransomware – or any malware – is considered a security incident and triggers the need to initiate security incident response and reporting procedures. Based upon an analysis of the investigation results, breach notification may be required. Additionally, if there is an impermissible disclosure of PHI in violation of the privacy rule there is a presumed breach which may trigger notification. Whether or not the presence of ransomware would be a breach under HIPAA Rules is thus fact specific. However, unless the entity demonstrates there is a “…low probability that the PHI has been compromised,” a breach of PHI is presumed to have occurred and the entity must comply with the applicable breach notification provisions.

Further information and a copy of the OCR report can be found here.

HIPAA – Are you ready for an audit?

HIPAA (the Health Insurance Portability and Accountability Act) is well known to all health care providers, as it governs the privacy of patient information, among other things. The basic parameters of the Privacy Rule should be known to all providers who handle protected health information.

The Office of Civil Rights for the U.S. Department of Health and Human Services (“OCR”) has launched a new audit initiative to make sure that health care providers are complying with HIPAA. Concerning its initiative, OCR says, “OCR’s audits will enhance industry awareness of compliance obligations and enable OCR to better target technical assistance regarding problems identified through the audits.” Providers would be well advised to ensure that they are ready for a HIPAA audit and are in full compliance with the Privacy Rule.

HHS Office of Inspector General Issues 2015 Work Plan (Part 2)

This final post on the OIG’s 2015 Work Plan summarizes many of the OIG’s initiatives in other areas.  To read Part 1, click here.

Medical Equipment and Sales: The OIG plans to examine 10 areas regarding equipment and supplies, including issues relating to power mobility devices, lower limb prosthetics, nebulizer machines and related drugs, diabetes testing supplies, and the payment system for renal dialysis services and drugs.  The OIG will also review claims for frequently replaced medical equipment supplies to determine supplier compliance with medical necessity, frequency, and other Medicare requirements, noting that suppliers have automatically shipped certain device supplies without physician orders for refills.

Other Providers: The OIG plans to review other providers’ policies, practices, and billings and payments, including ambulance, anesthesia, chiropractic, diagnostic radiology, imaging, and clinical laboratory services. The OIG also will examine inappropriate and questionable billing by ophthalmologists, physician place of service coding errors, high use of outpatient physical therapy services, supplier compliance with transportation and set-up fee requirements for portable X-ray equipment, and high use of sleep-testing procedures by sleep disorder clinics.

Prescription Drugs: The OIG will review several areas relating to prescription drugs. Of note, the OIG plans to examine payments for drugs purchased under the 340B Drug Pricing Program by determining how much Medicare Part B spending could be reduced if Medicare could share the savings for drugs purchased under the 340B program.

Part A and B Contractors: The OIG plans to examine seven areas relating to oversight of contracts and contractor functions and performance.

Information Technology Security, Protected Health Information, and Data Accuracy: Of note, the OIG plans to examine whether CMS oversight of hospitals’ security controls over networked medical services is adequate to protect electronic-protected health information. The OIG states that computerized medical devices that are integrated with electronic medical records and a health network are a growing threat to the security and privacy of health information. These medical devices monitor a patient’s health status and transmit and receive health data.

Other Part A and Part B Program Management Issues: The OIG will examine enhanced enrollment screening procedures for Medicare providers under the ACA. For the first time, the OIG will conduct a risk assessment of the Pioneer Accountable Care Organization Model.

Medicare Part C and Part D: The OIG plans several activities regarding Medicare Part C and Part D, including Medicare Advantage Organizations’ compliance with Part C requirements, ensuring dual -eligible patient access to drugs under Part D, and Part D billing and payments including Medicare Part D payments for HIV drugs for deceased beneficiaries.

Medicaid Program: The OIG will investigate several areas relating to Medicaid, noting that protecting Medicaid from fraud, waste, and abuse takes on a heightened urgency as the program continues to expand. Thus, the OIG will investigate a variety of areas in the Medicaid program, including state claims for drug rebates and claims for federal reimbursement. The OIG will also review Medicaid payments by states for home health services and other community-based care, including determining whether adult day care services providers complied with federal and state requirements and whether home health agency health care workers were screened in accordance with federal and state requirements. In addition, the OIG will review issues relating to medical equipment and supplies, transportation, health care-acquired conditions, and managed care. Finally, the OIG will review a variety of issues regarding state management, funding, oversight, and payment for Medicaid.

Other: The OIG plans to review and investigate many other areas. For the first time, the OIG will determine the extent to which hospitals comply with the contingency planning requirements found in the Health Insurance Portability and Accountability Act (HIPAA), as well as compare the hospitals’ contingency plans with government and industry recommended practices.