The healthcare industry continues to be a major target for cyberattacks. The recent $80,000 penalty against Elgon Information Systems by the HHS Office for Civil Rights (OCR) shows why healthcare providers must improve their cybersecurity measures.
In March 2023, Elgon Information Systems, a Massachusetts-based provider of electronic medical records and billing support services, suffered a ransomware attack. Hackers exploited open firewall ports to infiltrate the company’s network on March 25, leaving a ransom note demanding payment on March 31, 2023.
An internal investigation revealed that the breach exposed 31,248 individuals’ protected health information (PHI) including their names, addresses, Social Security numbers, and clinical details such as diagnoses, health conditions, and prescribed medications.
The OCR’s investigation concluded that Elgon failed to conduct a comprehensive risk analysis and manage system vulnerabilities, contributing to the breach.
As part of the enforcement action, Elgon agreed to pay an $80,000 penalty and implement a corrective action plan, which includes updating its risk management processes, improving HIPAA-related policies, workforce training, and undergoing three years of compliance monitoring.
Since 2022, the OCR has emphasized accountability for organizations failing to meet HIPAA’s Security Rule requirements.
As OCR Director Melanie Fontes Rainer stated, “A HIPAA compliant risk analysis is not only required under the law but is also an essential step in effective cybersecurity. The best defense to cyberattacks, such as hacking and ransomware, is ensuring that potential risks and vulnerabilities to electronic protected health information have been assessed.”
Healthcare entities must perform thorough risk analyses to identify vulnerabilities in their systems. A comprehensive risk analysis should:
Once risks are identified, organizations should implement mitigation strategies like:
HIPAA compliance demands well-defined policies and procedures to safeguard PHI. These must be:
Training programs should educate employees on the following:
Since the OCR focuses on long-term accountability, healthcare organizations should:
Ransomware attacks are a persistent threat to the healthcare sector, often resulting in significant financial and reputational damage. So, providers must identify and mitigate potential system vulnerabilities to safeguard patient PHI during transmission and storage, avoid HIPAA penalties, and improve their cyber resilience.
To stay ahead of threats and maintain compliance:
Ultimately, learning from the Elgon enforcement actions can help organizations strengthen their cyber defenses and maintain HIPAA compliance.
Read also: Higher HIPAA penalties announced
HIPAA compliance is required for covered entities, such as healthcare providers, health plans, and healthcare clearinghouses, as well as their business associates who handle protected health information (PHI).
HIPAA safeguards PHI, which includes any information that can identify a patient and is related to their health condition or treatment.
See also: Communications that must remain HIPAA compliant
Legal risks include potential lawsuits from affected individuals and the associated costs of settlements, legal fees, and damage to reputation.