The recent settlement between the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and Cascade Eye and Skin Centers underscores OCR’s expectations for healthcare providers regarding cybersecurity under the HIPAA Security Rule. Following a ransomware attack that compromised nearly 291,000 patient records, Cascade agreed to a $250,000 settlement and a corrective action plan.
This marks OCR’s fourth ransomware-related settlement, as ransomware incidents in healthcare have increased by 264% since 2018. The Cascade case offers essential lessons for what OCR expects from healthcare organizations in protecting electronic protected health information (ePHI) and preventing future breaches.
Key OCR Expectations for HIPAA Compliance
OCR’s investigation into Cascade’s breach highlighted several critical cybersecurity gaps, which OCR requires HIPAA-covered entities to address:
OCR expects healthcare organizations to perform detailed risk analyses to identify vulnerabilities in their systems. A comprehensive risk assessment must cover threats to the confidentiality, integrity, and availability of ePHI. Cascade’s inadequate risk analysis was a core deficiency. OCR clarified that risk analysis must be an ongoing process, not a one-time task, allowing organizations to adapt to new technologies and emerging threats.
OCR requires organizations to create and maintain a risk management plan that addresses identified vulnerabilities. Cascade’s lack of a proactive risk management strategy left it exposed to cyber threats. OCR emphasizes the importance of documenting and routinely reviewing mitigation strategies to counteract risks before they lead to a breach, supporting a more resilient cybersecurity framework.
OCR mandates regular monitoring of ePHI system activity, including access logs and alerts for unusual behavior. Cascade failed to monitor its systems effectively, delaying its awareness of the ransomware attack. Real-time monitoring helps detect unauthorized access early, enabling organizations to respond quickly and minimize data exposure. With proper access controls and audit logs, monitoring is a foundational defense against cyber threats.
OCR expects healthcare entities to enforce strict user identification protocols, including unique identifiers and multi-factor authentication (MFA). Cascade’s inadequate user tracking left it vulnerable to unauthorized access. Assigning unique identifiers and using MFA prevents unauthorized users from accessing ePHI, ensuring that only authorized personnel interact with sensitive data.
OCR’s requirements include preparedness plans for handling cybersecurity incidents, such as isolating affected systems, restoring data, and notifying affected parties. Cascade’s settlement outlines a need for emergency procedures to quickly address cyber events. OCR expects healthcare organizations to have a response plan that can be activated immediately, minimizing potential damage and protecting patient data.
OCR expects HIPAA-related policies and procedures to be up-to-date and reflective of the latest cybersecurity practices. Cascade’s settlement underscores that outdated or poorly maintained policies put healthcare entities at risk. Regular policy reviews ensure compliance with current standards, addressing potential vulnerabilities before they result in enforcement actions.
Broader Cybersecurity Recommendations from OCR
Beyond these core compliance areas, OCR encourages additional practices to strengthen cybersecurity:
The Cascade Eye and Skin Centers case reinforces OCR’s commitment to enforcing the HIPAA Security Rule amid rising cyber threats in healthcare. By adopting these best practices and staying vigilant, healthcare organizations can protect patient data, reduce vulnerabilities, and avoid costly penalties.
Total Medical Compliance
6124 Creft Circle
Indian Trail, NC 28079
Phone: (888) 862-6742
Fax: (866) 875-3809
©2023 Total Medical Compliance
Total Medical Compliance
6124 Creft Circle
Indian Trail, NC 28079
(888) 862-6742
Fax (866) 875-3809
©2022 Total Medical Compliance
