HHS Reveals First Settlement in a Ransomware Case Involving Doctors’ Management Services
Well, pull up a chair and let’s have a natter about something rather serious. It’s a topic we’ve all glanced at in our inboxes or heard in the estate’s local pub – data protection, or should I say, the unfortunate lack thereof. It’s an issue of paramount importance particularly in the healthcare sector, where a vast amount of sensitive data is managed, and yet we hear all too often about the ‘cracks’ in the cybersecurity wall.
Case in point – remember hearing about a massive breach reported to the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR)? Over 206,000 individuals’ electronic health records had been held to ransom by a wicked bit of software named -and you’ll get a dark chuckle out of this – GandCrab. Fantastic name aside, on a sober note, GandCrab is an example of ransomware.
‘But what’s ransomware?’, I hear you ask. It’s a type of malicious software designed to mercilessly encrypt user’s data, holding it hostage until a ransom is paid to the hacker who deployed the software. Your private health information becomes someone else’s leverage, and not to mention, payday. It’s a bit ‘Lord of War’, isn’t it, the whole business?
The company that fell foul of GandCrab was Doctors’ Management Services, a medical management firm based out of Massachusetts. Unfortunately, they only discovered the attack on Christmas Eve, 2018, a full twenty months after the initial infiltration took place on April 1, 2017. Topping it all off, the investigation only began in April of 2019!
According to the investigation, Doctors’ Management Services might have dropped the ball in a few critical areas. Firstly, they didn’t complete a proper risk analysis to determine the potential vulnerabilities. You wouldn’t cross the road without checking for cars, would you? But, they didn’t seem to be showing the same level of caution while handling sensitive digital health information.
Secondly, their monitoring of system activity was insufficient to guard against a cyber-attack. And lastly, there were no adequate policies or procedures in place to comply with critical security rules needed to ensure electronic health information remained confidential and readily available. It’s a bit like leaving your front door unlocked, isn’t it?
To remedy these glaring issues, Doctors’ Management Services had to cough up a whopping $100,000 to the OCR and agree to implement a more robust action plan. On top of that, they are also required to stay in line with the HHS’s Privacy and Security rules for the next three years, and rightfully so.
The new plans include a complete review and update of their risk analysis, which would identify any potential risks and vulnerabilities to the company’s data. Also, they are to revise their policies and procedures to comply with privacy and security rules better and provide their workforce with much-needed training on these matters.
Suffice to say; it’s been a wake-up call for us all, hasn’t it? So let’s all remember to stay safe out there mates because much like the weather, it’s not just chilly winds that could catch us off guard, but digital threats lurking in our network nooks.
I suppose the take-home message here is to never underestimate the importance of cybersecurity, especially in an industry as vital as healthcare. After all, most wouldn’t leave their front door open, so why leave electronic data wide open the same way?
That’s it for today’s tale on the information superhighway. It’s high time we start taking these issues as seriously as a heart attack, because friends, where data security is concerned, prevention is indeed the best cure.
by Parker Bytes