HHS’s Office for Civil Rights (OCR) has levied a $40,000 fine against Green Ridge Behavioral Health, a MD psychiatric health services provider for HIPPA violations related to a ransomware attack on the company.
Green Ridge experienced a ransomware attack in 2019 that encrypted the healthcare records of some 14,000 patients. Though the company did not pay the ransom and was able to recover their systems from backups, HIPPA’s investigation revealed them to have been well out of compliance with HIPPA regulations.
Green Ridge Behavioral Health failed to:
- Have in place an accurate and through analysis to determine the potential risks and vulnerabilities to electronic protected health information;
- Implement security measures to reduce risks and vulnerabilities to a reasonable and appropriate level; and
- Have sufficient monitoring of its health information systems’ activity to protect against a cyber-attack.
Under the terms of the settlement with Greenridge, HHS required the company to:
- Conduct a comprehensive and thorough analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information;
- Design a Risk Management Plan to address and mitigate security risks and vulnerabilities found in the Risk Analysis;
- Review, develop, or revise its written policies and procedures to comply with the HIPAA Rules;
- Provide workforce training on HIPAA policies and procedures;
- Conduct an audit of all third-party arrangements to ensure appropriate business associate agreements are in place, where applicable; and
- Report to OCR when workforce members fail to comply with HIPAA.
This is the second time that OCR has fined a HIPAA regulated company for violations identified during a ransomware investigation.
Steve Hahn, Executive VP, BullWall had this comment:
“There is a reason HIPPA has strict compliance guidelines and cyber security is supremely important to the security of patient information. Ransomware attacks on medical service providers have become a serious threat to public health and safety. These attacks not only disrupt the delivery of essential medical services, but always compromise the security of sensitive patient information. The impact of these attacks can in fact be devastating, as they can leave medical providers struggling to recover their data and regain control of their systems. In this case, Green Ridge did not pay the ransom, but whether the ransom is paid or not, the costs in dollars and lost patient services severely cripple these already struggling institutions.
“Hospitals and healthcare organizations are particularly attractive targets for cybercriminals, and their reliance on technology to manage everything from patient records to surgical equipment makes them uniquely vulnerable. It is very encouraging to see OCR enforcing compliance with a cyber security “Best Practices” approach for providers.”
Mark B. Cooper, President & Founder, PKI Solutions follows with this:
“The fact that this is only the second time OCR has fined a HIPAA company for violations after a cyberattack should be a wake-up call for the Security Teams at every health services provider. Medical records are far more valuable for hackers than credit card numbers or Social Security numbers, so a mindset shift is needed into proactive monitoring and visibility in critical infrastructure protection (CIP) misconfigurations should be a priority and not an afterthought. Invest in proactive monitoring and visibility now or pay later.”
I’m all for punishing companies who don’t have their act together when it comes to security. The fact that this company got pwned, and then got punished for getting pwned should send the message that everyone needs to up their game. Or else.
Like this:
Like Loading...
Related
This entry was posted on February 23, 2024 at 8:20 am and is filed under Commentary with tags Hacked, Lawsuit. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
HHS Fines Company For Issues That Led Them To Get Pwned In A Ransomware Attack
HHS’s Office for Civil Rights (OCR) has levied a $40,000 fine against Green Ridge Behavioral Health, a MD psychiatric health services provider for HIPPA violations related to a ransomware attack on the company.
Green Ridge experienced a ransomware attack in 2019 that encrypted the healthcare records of some 14,000 patients. Though the company did not pay the ransom and was able to recover their systems from backups, HIPPA’s investigation revealed them to have been well out of compliance with HIPPA regulations.
Green Ridge Behavioral Health failed to:
Under the terms of the settlement with Greenridge, HHS required the company to:
This is the second time that OCR has fined a HIPAA regulated company for violations identified during a ransomware investigation.
Steve Hahn, Executive VP, BullWall had this comment:
“There is a reason HIPPA has strict compliance guidelines and cyber security is supremely important to the security of patient information. Ransomware attacks on medical service providers have become a serious threat to public health and safety. These attacks not only disrupt the delivery of essential medical services, but always compromise the security of sensitive patient information. The impact of these attacks can in fact be devastating, as they can leave medical providers struggling to recover their data and regain control of their systems. In this case, Green Ridge did not pay the ransom, but whether the ransom is paid or not, the costs in dollars and lost patient services severely cripple these already struggling institutions.
“Hospitals and healthcare organizations are particularly attractive targets for cybercriminals, and their reliance on technology to manage everything from patient records to surgical equipment makes them uniquely vulnerable. It is very encouraging to see OCR enforcing compliance with a cyber security “Best Practices” approach for providers.”
Mark B. Cooper, President & Founder, PKI Solutions follows with this:
“The fact that this is only the second time OCR has fined a HIPAA company for violations after a cyberattack should be a wake-up call for the Security Teams at every health services provider. Medical records are far more valuable for hackers than credit card numbers or Social Security numbers, so a mindset shift is needed into proactive monitoring and visibility in critical infrastructure protection (CIP) misconfigurations should be a priority and not an afterthought. Invest in proactive monitoring and visibility now or pay later.”
I’m all for punishing companies who don’t have their act together when it comes to security. The fact that this company got pwned, and then got punished for getting pwned should send the message that everyone needs to up their game. Or else.
Share this:
Like this:
Related
This entry was posted on February 23, 2024 at 8:20 am and is filed under Commentary with tags Hacked, Lawsuit. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.