Cyber criminals don’t give any particular type of organization a break. They don’t restrict their attacks to big hospitals, research organizations, government sites or profit making companies. Their primary goal is to obtain protected health information (PHI) wherever they can find it and use it for profit. A secondary goal, especially among the nation state threat actors, is to disrupt and interfere with critical infrastructure. Sadly, cyber criminals attack community clinics, hospices, and smaller providers – any organization with an opening in their cybersecurity defense is vulnerable.
In response to recent malicious cyber incidents in Ukraine, the Cybersecurity and Infrastructure Security Agency (CISA) recently warned that every organization in the U.S. is at risk from cyber threats. In addition, ECRI, an independent, nonprofit organization that provides guidance and technology solutions to the healthcare industry, lists cybersecurity attacks as the top health technology hazard for 2022 in its recent annual executive brief.
In late January we wrote about cybersecurity attacks hitting specialty providers and business associates. Today’s follow-up underscores how small to medium size providers, including non-profits and small community health clinics are vulnerable to cybersecurity incidents.
All organizations in healthcare need to review and refresh their HIPAA compliance, because the number one defense against cyber crime in healthcare is to follow the HIPAA Security Rule.
FQHCs Hit with Ransomware and Malware Attacks
The Family Christian Health Center (FCHC), a Federally Qualified Health Center (FQHC) in Harvey, Illinois suffered a ransomware attack late last year affecting 31,000 individuals. FCHC first discovered the ransomware attack on November 30, 2021, a notice on its website explained.
Its notice explains that FCHC had been working hard to increase system security and employee awareness over the past two years but despite those efforts, they still fell victim to a ransomware attack that potentially exposed patient information, like names, insurance card numbers, birth dates, and addresses, as well as copies of insurance cards and driver’s licenses. For other patients the ransomware attack exposed Social Security numbers, names, birth dates, addresses, and insurance identification numbers. FCAC hired a IT forensics expert to investigate the cause and suggest additional security measures.
Cross Timbers Health Clinics, dba AccelHealth in Texas discovered it had been hacked on December 15, 2021 when it could not access some electronic files on its servers. They later learned that the information accessed by the cyber criminals included names, Social Security numbers, financial account numbers, health insurance information, medical record numbers, birth dates, addresses, medical record numbers, and treatment information; 48,000 patients were affected.
Native American Health Service, Catholic Hospice, among Others
The OCR breach reporting portal is full of examples of breaches occurring at specialty providers of all sizes. Two recent ones that stand out are below.
Seneca Nation Health System
The Seneca Nation Health System (SNHS) provides comprehensive care to members of the nation in parts of New York and Pennsylvania; SNHS reported a hacking/breach incident to the Office for Civil Rights (OCR) on February 8, 2022. Details of the incident haven’t been publicly reported as of today, except that the breach affected 12,000 individuals.
SNHS is a non-profit public health organization and has a federal contract with the Indian Health services (IHS) to provide ambulatory health care. Its website has a thorough explanation of patients’ rights under HIPAA, including guidance about how to obtain one’s medical records – in fact the information is more complete than many provider websites.
Catholic Hospice, located in South Florida, learned on December 1, 2021, that three employee email accounts may have been compromised. In its breach report to OCR, the hospice reported that nearly 15,000 individuals’ information was exposed. The information may have included names, addresses, demographic data, medical information, Social Security numbers, and treatment information.
HIPAA Risk Management and the Security Rule
We do not mean to imply that these particular providers that experienced breaches did not follow HIPAA. The full facts about what happened, and how the providers managed their systems is not known. There are cases where, despite efforts to maintain privacy and security, hackers can break through. For example, Family Christian Health Center mentioned above, emphasizes that they had worked hard to strengthen system security in recent years.
These examples are provided to show that cybersecurity is a real and present risk, is increasing throughout healthcare, and can happen to any organization. While there is no ironclad guarantee that good security will prevent every attack, it is well known that improved security can make it more difficult for hackers to succeed, and can reduce the risks to providers. All the advice provided by the most experienced experts at CISA, the FBI, and cybersecurity consultants who specialize in healthcare tracks the HIPAA Security Rule.