Fourth OCR Ransomware Settlement
We anticipate that headlines like this will continue to increment as criminal-activity cases are processed through the Office of Civil Rights (OCR).
Last month OCR announced a $250K, two year corrective action plan (CAP) with Cascade Eye and Skin Centers, P.C., (Cascade) of Washington State. Criminals compromised electronic protected health information affecting approximately 291,000 patients by implementing a ransomware attack. In OCR's media release, they determined that Cascade had failed to "...conduct a compliant risk analysis to determine the potential risks and vulnerabilities to ePHI in its systems, and to have sufficient monitoring of its health information systems’ activity to protect against a cyber-attack..."
Cascade actions agreed upon in the CAP include:
conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI;
implement a risk management plan to address and mitigate security risks and vulnerabilities identified in their risk analysis;
developing a written process to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports;
developing policies and procedures for responding to an emergency or other occurrence that damages systems that contain ePHI;
developing written procedures to assign a unique name and/or number for identifying and tracking user identity in its systems that contain ePHI; and
reviewing and revising, if necessary, written policies and procedures to comply with the HIPAA Privacy and Security Rules.
All of these actions should be part of a basic HIPAA Security program and we'll show you how to create policies and procedures to help protect your organization against additional OCR CAP requirements. Click the link below to read OCR's announcement.
Stay (HIPAA) safe,
Alan -
Comments