The costs of a ransomware attack keep rising. First, there’s damage from the initial attack: downtime, investigation costs, exposure of patient data. Second, if a targeted hospital chooses to pay the ransom, that can be expensive; finally, a class action lawsuit might follow. All three happened to Sturdy Memorial Hospital in Attleboro, Massachusetts after they were struck by a ransomware attack in February, 2021. They released a public notice about the incident on May 28, 2021; the lawsuit was filed August 26.
Add to these woes an investigation by the Office for Civil Rights (OCR), the HIPAA enforcement office which investigates all breaches that affect 500 or more individuals. The Sturdy Memorial Hospital breach affected 35,000. Both the lawsuit and an OCR investigation will take many months to conclude or settle, costing time, distraction and legal fees, and a possible judgment or settlement payment at the end.
In its May 28 statement, Sturdy explained they decided to pay the ransom in exchange for “assurances that the information acquired would not be further distributed and that it had been destroyed.” But cybersecurity experts, the FBI and CISA (the Cybersecurity and Infrastructure Security Agency) all agree that paying a ransom is no guarantee that the data will be destroyed – time and again such assurances turn out to be false when the data turns up for sale later on the dark web. Paying ransom also encourages cyber criminals to strike again.
HIPAA Risk Management Saves Money
Today, cybersecurity incidents are inevitable in every sector of the economy, and healthcare is one of the most vulnerable because patient data is so valuable. A recent study pegged the cost of healthcare data breaches at $9.23 million per incident.
The best defense against ransomware is a strong HIPAA compliance program that tracks requirements in the Privacy, Security and Breach Notification Rules. HIPAA Risk Analysis and Risk Management not only catches vulnerabilities and weaknesses before the fact, but provides a step-by-step action plan to strengthen defenses to help prevent an attack.
A good HIPAA compliance program does more though. If a covered entity is careful to follow HIPAA and practice good HIPAA Risk Management, all the careful compliance effort is a good defense in a lawsuit. In every lawsuit against healthcare organizations for privacy breaches we’ve seen, a key part of the complaint is that the defendant did not follow HIPAA carefully enough. Remember, the federal HIPAA laws do not include a right to sue by individuals, but creative lawyers allege negligence or breach of contract and argue that the defendant did not measure up to the standard of care to protect patient privacy that HIPAA requires.
HIPAA Risk Management is not Rocket Science
Risk Management includes regular repeated Risk Analysis, workforce HIPAA training (including cybersecurity training), the monitoring of third party vendor business associates, daily offsite data back-ups, and a number of other actions tailored to the organization’s particular situation.
At The HIPAA E-Tool® the Risk Analysis includes a Security Rule Checklist which organizes all the Security Rule requirements – the safeguards and implementation specifications – and helps organizations measure themselves against these requirements. We have policies, workforce training, business associate compliance (for covered entities and business associates), forms and templates.
Avoid the triple whammy with a better HIPAA compliance program. Do you have what it takes?