COVID-19

Resources

Webinar

Registration

Blog

  • Contact Us
  • Follow Us:

Stotler Hayes

Providing Legal Assistance to Health Care Providers

  • Who We Are
  • Practice Areas
  • Employment
  • Resources

When Cyber-Pirates Attack the Mothership

Aug 01 2019

Over the last two decades, those of us in the healthcare industry have grown accustomed to the array of new vocabulary words and phrases, acronyms, and pseudo-blends in our daily repertoire – HIPAA, security incidents, PHI, disaster recovery plan, breach notification, and business associates, to name a few. Healthcare has always had an encoded language of its own – but who would have expected that the health care administrator’s fluency would need to extend to actual (computer) code?

Familiarity with computing platforms and cybersecurity is increasingly important for the healthcare administrator.  Today, ransomware attacks and cyber-related security are causing the latest and greatest additions to our conference call agendas and risk mitigation discussions.  Who knew a techie pirate and his scurvy crew could attack your data and seize your operations?  As demonstrated by the recent Wanna Cry ransomware attacks, cyber-pirates can hold your company captive for bounty, or, worse yet, disclose protected health information (PHI) with a single keystroke.  This is not a restful thought for any compliance team.

The Department of Health and Human Services (“DHHS”) Office of Civil Rights (“OCR”) recently provided a Quick-Response Checklist on the steps a covered entity and its business associates should take in response to cyber-related security incidents. The checklist is akin to a step-by-step protocol your covered entity should plan to implement for cyber-related security incidents, such as a ransomware attack. Briefly, those steps include:

  • Immediately fix any technical issues and stop the incident;
  • Mitigate any impermissible disclosures of PHI;
  • Report the crime to state or local law enforcement, the FBI and/or the Secret Service – this report should not include the PHI itself;
  • Report all cyber-threat indicators to federal and information-sharing and analysis (“ISAOs”), including the Department of Homeland Security, the DHHS Assistant Secretary for Preparedness and Response, and private-sector cyber-threat ISAOs – these reports should not include the PHI itself; and
  • Report the breach to the OCR.  For attacks impacting 500 or more individuals, providers are required to inform the OCR as soon as possible but no later than 60 days after the discovery of the breach. For those incidents involving less than 500 individuals, providers still have an obligation to notify the OCR within 60 days of the end of the calendar year in which the breach occurred.

Further illustrating the centrality of cybersecurity in meeting regulatory compliance, CMS has included cybersecurity within its mandated “all hazards approach” for healthcare facilities.  Under this rule, all applicable healthcare facilities (including hospitals, ambulatory treatment centers, and long-term care facilities) must implement a detailed emergency preparedness plan by no later than November 16, 2017.  Facilities are expected to prepare for terror attacks, natural disasters, epidemics, and now, cyberwarfare.

While the landscape of the healthcare arena evolves through technology and, the ever-changing compliance and risk mitigation nuances of our daily lives, keep in mind you do not have to go it alone.  Seek help – to protect the mothership it requires all hands on deck. After all, once you have created a virtual-defense strategy and emergency preparedness plan, you’ll be resting easier, – at least until the next wave.

Written by Carolyn Sweet · Categorized: General Updates

Stotler Hayes Group, LLC is a national, boutique law firm focused on optimizing recovery for health care providers through Medicaid, Medicare, private collections, training and education. Our attorneys are licensed in, and represent clients before, federal and state courts and agencies in a majority of states around the country.

In the handful of states where Stotler Hayes Group, LLC does not employ a full-time attorney, referrals are made to local counsel, many of whom we have developed close working relationships with over the years. In those cases, our firm works with local counsel throughout the pendency of the case.

Stotler Hayes Group, LLC,

Principal Office: Pawley’s Island, SC, Phone: 843-235-9871; Fax: 888-497-7390; email: info@stotlerhayes.com

This website is for informational purposes only. Please remember that every case is different. Any result we achieve for one client in one matter does not necessarily indicate similar results can be obtained for other clients.

The attorney responsible for the content of this website is Andrea Kirksey, Esq., Executive Director and General Counsel for Stotler Hayes Group, LLC, 297 Willbrook Boulevard,  Pawley’s Island, South Carolina.

She may be contacted at (843) 235-9871, ext. 1002 or at akirksey@stotlerhayes.com.

Home                           Contact Us                    Disclaimer

 

Website Designed by Southern Tide Media