Create A Cyber Risk Management Plan Before There Is A Breach

October 17, 2024

Green Ridge Behavioral Health, LLC (Green Ridge) in Maryland recently agreed to settle a lawsuit brought against it by the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

In February 2021, Green Ridge filed a breach report with OCR stating that its network server had been infected with ransomware and that company files and patient electronic health records were encrypted. The ransomware attack allegedly compromised the protected health information of more than 14,000 patients.

An OCR investigation "found evidence of potential violations of the HIPAA Privacy and Security Rules leading up to and at the time of the breach."

Investigators also determined that Green Ridge failed to analyze the "potential risks and vulnerabilities to electronic protected health information"; implement security measures to reduce them; and sufficiently monitor system activity to protect against a cyberattack.

Green Ridge agreed to pay $40,000 and implement a corrective action plan that includes conducting a comprehensive and thorough analysis of these potential risks and vulnerabilities; creating a Risk Management Plan to address and mitigate them; revising its policies and procedures to comply with HIPAA, as necessary; training staff on HIPAA policies and procedures; auditing third-party arrangements; and reporting HIPAA violations to OCR.

OCR will monitor implementation of the plan for three years.

This is the second settlement reached between OCR and "a HIPAA regulated entity for potential violations identified during an investigation following a ransomware attack." "HHS' Office for Civil Rights Settles Second Ever Ransomware Cyber-Attack" www.hhs.gov (Feb. 21, 2024).

Commentary

In the source material, one of the many settlement provisions was Green Ridge creating a "Risk Management Plan" to address data risks.

Organizations of all types can benefit from implementing a cyber risk management plan before there is a breach. This would involve conducting a risk assessment; implementing risk mitigation strategies; and continually monitoring the security of the information system.

A risk assessment may include threat modeling and analyzing vulnerabilities through static code analysis and network, host, and database scanning. Continuously evaluate the effectiveness of security control measures. "CMS Cyber Risk Management Plan (CRMP)" security.cms.gov (Mar. 27, 2023).

Work with your IT team or a skilled third party to conduct a risk assessment and create a cyber risk management plan to help protect your organization from a ransomware attack.

Finally, your opinion is important to us. Please complete the opinion survey:

News

New Fax Number for Best Practice Help Line

The fax line for Best Practice Help Line consultation requests is now 918-712-5965.

Why Does This G-20 Nation Keep Sending Me Phishing?

The DOJ breaks up a Russian spear phishing campaign. We examine why spear phishing is still so effective. ?

Survey Shows IT Pros Are Unable To Keep Up With Data Demands Over Security Concerns

Businesses need access to data to make good decisions, but too much security means data can often be overlooked. We examine the question of security versus data access.

Decentralizing Data Using Cloud Networks Limits Cyber Attack Harm

A cyberattack on a city did not cause major problems because the city had taken proactive measures for just such an incident. We examine the steps taken to minimize damage.