CHI Health is a regional health network stretching across Nebraska and southwest Iowa, serving patients and communities through fourteen hospitals. Today, CHI is grappling with every health network's nightmare of a security incident shutting down critical technology needed to run modern medicine.
CHI Health takes systems offline as they grapple with an 'IT security incident'
CHI Health reports that certain systems have been taken offline because of a data breach, but the health system is not saying how many patients were affected. However, it has taken measures to minimize disruptions. CHI Health does not yet know if private patient information was exposed, but it is working to determine the extent of the damage.
As a precautionary step, we have taken certain IT systems offline, which may include electronic health record systems and other systems," said CHI Health senior public relations strategist Taylor Miller. "Our facilities are following existing protocols for system outages and taking steps to minimize the disruption. We take our responsibility to ensure the privacy of our patients and IT security very seriously.
In a statement, CHI Health referred reporters to its parent company, MCG Health. It has also sent letters to affected patients. The letter does cite an official notification.
Locally, patients report not being able to schedule appointments, and in some instances, procedures were canceled without notification causing community frustration.
CHI has suffered from past ransomware attacks
Nebraska Medicine in Omaha was the target of a cyberattack that shut down computer systems for days in 2020. And in 2019, a third-party vendor introduced a malware virus into the health system's network through a device brought into a CHI Health location.
The attack targeted the organization's old electronic health record system, which contained medical records of patients prior to April 2016. The organization has since sent notifications to affected individuals by mail. It also filed a report with the Department of Health and Human Services Office of Civil Rights.
The attackers likely assumed that healthcare organizations would be willing to pay the ransom for access to patient data. In addition, the FBI has assessed that North Korean state-sponsored actors target organizations in the HPH sector. As a result, the agency recommends that healthcare organizations use secure networks and maintain offline data backups. They also recommend training employees on the proper procedures for detecting suspicious activity
When do hospitals need to report a healthcare data breach?
The US Department of Health & Human Services (HHS) defines a breach as "impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information."
According to the HIPAA Breach Notification Rule, covered entities must self-report a breach if it involves "unsecured" PHI. "Unsecured" PHI is "not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology."
What are the breach notification guidelines?
Covered entities must notify the affected individual no longer than 60 days following the discovery of the breach. This notification should include a brief description of the incident, the types of PHI involved, recommendations for protecting themselves, the organization's response plan, and how to access more information.
Organizations also need to notify HHS. The timing of this depends on how many people were affected. If a healthcare data breach impacts 500 or more individuals, covered entities must report it no later than 60 days after the breach. The incident can be reported annually for a breach that affected fewer than 500 people. This notification is due no later than 60 days after the end of the calendar year when the breach occurred.
If the breach involves more than 500 persons in a state, covered entities are responsible for reporting the incident to local media within 60 days. This notification should include similar information to the notice delivered to individuals.
Protect email that must be HIPAA compliant with Paubox
Healthcare providers can avoid data breaches in the first place by making risk management a top priority. Email is the leading threat vector in today's cybercrime environment, so a strong email security strategy is essential. That's where a HIPAA compliant email provider comes in.
Designed to integrate with your existing email platform, Paubox Email Suite enables HIPAA compliant email by default to ensure automatic compliance with HIPAA email rules. This means you don't have to decide which emails to encrypt, and your patients can receive your messages right in their inbox—no additional passwords or portals are necessary.Premium plan levels include robust inbound email security tools that block cyberattacks from even reaching the inbox. For example, our patent-pending Zero Trust Email feature uses email AI to confirm that an email is legitimate. Additionally, our patented ExecProtect solution quickly intercepts display name spoofing attempts.
In addition to healthcare email encryption, Paubox Email Suite’s Plus and Premium plan levels include robust inbound email security tools that block cyberattacks from even reaching the inbox. Our patent-pending Zero Trust Email feature uses email AI to confirm that an email is legitimate. Additionally, our patented ExecProtect solution quickly intercepts display name spoofing attempts.
