Global EditionCompliance & LegalOCR settles with BA for ransomware breachWhile the agreement is not an admission of liability, Doctors’ Management Services has agreed to pay a penalty of $100,000 and be subject to HIPAA compliance monitoring by OCR for three years.By Andrea FoxNovember 01, 202306:44 PM.

全球编辑合规与LegalOCR与BA解决勒索软件违反协议虽然协议不承认责任，但医生的管理服务已同意支付100000美元的罚款，并接受OCR三年的HIPAA合规监督。由Andrea FoxNovember 0120206:44 PM。

Photo: Ekaterina Bolovtsova/Pexels

照片：叶卡捷琳娜·博洛夫索娃/佩克斯

Following an investigation into the breach of the protected health information of 206,695 individuals, the Office of Civil Rights announced a settlement with Doctors’ Management Services – which provides medical billing, payor credentialing and other third-party healthcare services to several covered entities..

在对违反206695人的受保护健康信息进行调查后，民权办公室宣布与医生管理服务部门达成解决方案-向多个受保护的实体提供医疗账单，付款人资格认证和其他第三方医疗服务。。

WHY IT MATTERS

为什么重要

Massachusetts-based DMS reported in April 2019 that an unauthorized third party gained access to its network on April 1, 2017, and was active in its system until it deployed ransomware on December 24, 2018.

基于马萨诸塞州的DMS于2019年4月报告说，未经授权的第三方于2017年4月1日访问其网络，并在其系统中活跃，直至2018年12月24日部署勒索软件。

According to OCR, the breach report filed with U.S. Health and Human Services stated that PHI was exposed when its network server was infected with GandCrab ransomware.

根据OCR的说法，向美国卫生与公众服务部提交的违规报告指出，PHI在其网络服务器感染GandCrab勒索软件时暴露出来。

OCR's investigation of the incident under HIPAA Privacy, Security and Breach Notification Rules found evidence of potential failures, insufficient system monitoring to protect against a cyberattack and a lack of HIPAA policies and procedures implementing privacy requirements of the HIPAA

OCR根据HIPAA隐私，安全和违规通知规则对事件进行的调查发现了潜在故障的证据，系统监控不足以防止网络攻击以及缺乏实施HIPAA隐私要求的HIPAA政策和程序

The agency said as a business associate of covered entities, DMS did not have adequate measures in place to protect the confidentiality, integrity and availability of electronic PHI.

该机构表示，作为涵盖实体的业务助理，DM没有采取适当措施保护电子PHI的机密性，完整性和可用性。

'DMS failed to implement procedures to regularly review records of information system activity, such as audit logs, access reports and security incident tracking reports,' HHS said in a statement Tuesday.

HHS在星期二的一份声明中说：“DMS未能实施定期审查信息系统活动记录的程序，例如审计日志，访问报告和安全事件跟踪报告。

Monitoring and numerous other cybersecurity best practices should happen regularly across an enterprise to prevent future attacks, according to OCR Director Melanie Fontes Rainer.

OCR主任Melanie Fontes Rainer表示，监控和许多其他网络安全最佳实践应该在整个企业中定期发生，以防止未来的攻击。

The corrective action plan DMS agreed to identifies the steps it must take to protect ePHI and maintain compliance with HIPAA, which include:

纠正行动计划DMS同意确定保护ePHI和保持遵守HIPAA必须采取的步骤，其中包括：

Review and update its risk analysis to identify the potential risks and vulnerabilities to data within 180 days of the plan's effective date.

审查并更新其风险分析，以确定计划生效日期后180天内数据的潜在风险和漏洞。

Update the company's enterprise-wide risk management plan to address and mitigate any security risks and vulnerabilities found in the approved risk analysis within 90 days of the latter's approval.

更新公司的企业范围风险管理计划，以解决和减轻后者批准后90天内批准的风险分析中发现的任何安全风险和漏洞。

Review and revise written policies and procedures to comply with HIPAA within 60 days from the approval of the updated risk management plan.

在更新的风险管理计划批准后的60天内审查并修改书面政策和程序以遵守HIPAA。

Provide each workforce member who has access to PHI with training on approved HIPAA policies and procedures within 60 days and then every 12 months.

在60天内，然后每12个月，为每位可以获得PHI培训的员工提供有关已批准的HIPAA政策和程序的培训。

DMS must provide annual reports on compliance with the three-year CAP.

DM必须提供有关遵守三年上限的年度报告。

THE LARGER TREND

更大的趋势

'Over the past four years, there has been a 239% increase in large breaches reported to OCR involving hacking and a 278% increase in ransomware,' according to HHS. Hacking has already increased 60% from last year, according to OCR, affecting more than 88 million individuals in 2023.

据HHS称，“在过去四年中，向OCR报告的涉及黑客攻击的大规模违规事件增加了239%，勒索软件增加了278%。根据OCR的数据，黑客攻击比去年增加了60%，到2023年影响了超过8800万人。

For several years, the cybersecurity practices of business associates have been known to cause healthcare data breaches.

多年来，已知业务伙伴的网络安全实践会导致医疗保健数据泄露。

GandCrab targeted older Windows PCs no longer supported by Microsoft with Server Message Block vulnerabilities.

GandCrab不再支持具有服务器消息块漏洞的旧Windows PC。

SMB allowed Microsoft Windows computers to share files, serial ports and printers across a network on legacy systems. Using the National Security Agency EternalBlue exploit – the same hacking tools used in WannaCry and Petya – GandCrab spread through spam email, fake software cracking sites and malicious WordPress sites..

SMB允许Microsoft Windows计算机在传统系统上跨网络共享文件，串行端口和打印机。使用国家安全局EternalBlue开发-与WannaCry和Petya-GandCrab中使用的相同的黑客攻击工具通过垃圾邮件电子邮件，虚假软件破解站点和恶意文字按压站点传播。。

'If we are lazy about patching and upgrading our systems sector-wide, GandCrab will be (somewhat) problematic for the healthcare sector,' said Lee Kim, HIMSS senior principal of cybersecurity and privacy.

HIMSS网络安全和隐私高级首席执行官Lee Kim说：“如果我们懒惰在整个行业修补和升级我们的系统，那么GandCrab将对医疗保健领域产生（有些）问题。

'But, it’s not the 1990s anymore and many healthcare organizations are a bit more proactive with their cybersecurity programs,” she told Healthcare IT News in July 2018.

“但是，这不再是20世纪90年代，许多医疗机构对他们的网络安全计划更加积极，”她在2018年7月告诉healthcare-it新闻。

Third-party cybersecurity risks from business associates like DMS have required healthcare organizations to prioritize security in procurement, review every contract regularly, deploy identity and access management software throughout networks and systems, implement best practices for cyber hygiene and much more..

来自DM等业务伙伴的第三方网络安全风险要求医疗机构在采购中优先考虑安全性，定期审查每个合同，在整个网络和系统中部署身份和访问管理软件，实施网络卫生的最佳实践等等。。

ON THE RECORD

记录在案

'Our settlement highlights how ransomware attacks are increasingly common and targeting the healthcare system,' Rainer said in the HHS announcement. 'This leaves hospitals and their patients vulnerable to data and security breaches.

莱纳在HHS公告中说：“我们的解决方案突出了勒索软件攻击是如何日益普遍并针对医疗保健系统的。”这使得医院及其患者容易受到数据和安全漏洞的影响。

'In this ever-evolving space, it is critical that our healthcare system take steps to identify and address cybersecurity vulnerabilities, along with proactively and regularly review risks, records and update policies,' she added.

她补充说：“在这个不断发展的领域，我们的医疗系统必须采取措施识别和解决网络安全漏洞，并积极主动地定期审查风险，记录和更新政策。

Andrea Fox is senior editor of Healthcare IT News.

Andrea Fox是Healthcare IT News的高级编辑。

Email: afox@himss.orgHealthcare IT News is a HIMSS Media publication.

电子邮件：afox@himss.orgHealthcareIT新闻是HIMSS媒体出版物。

Topics: Compliance & Legal, Financial/Revenue Cycle Management, Network Infrastructure, Privacy & Security

主题：合规与法律，财务/收入周期管理，网络基础设施，隐私与安全

More regional news

更多区域新闻

Tele-stroke tech improves care and provider confidence at Essentia Health-FargoBy Bill SiwickiNovember 01, 2023

Tele-stroke tech提高了Essentia Health的护理和提供者的信心FargoBy Bill SiwickiNovember 012023

How an AI-powered clinical notes API could boost telehealthBy Bill SiwickiNovember 01, 2023

人工智能驱动的临床笔记API如何通过Bill SiwickiNovember 012023提升远程医疗

Suki expands availability of its ambient AI clinical documentation platformBy Nathan EddyNovember 01, 2023

Suki扩展了Nathan EddyNovember 012023的ambient AI临床文档平台的可用性

Following an investigation into the breach of the protected health information of 206,695 individuals, the Office of Civil Rights announced a settlement with Doctors’ Management Services – which provides medical billing, payor credentialing and other third-party healthcare services to several covered entities..

在对违反206695人的受保护健康信息进行调查后，民权办公室宣布与医生管理服务部门达成解决方案-向多个受保护的实体提供医疗账单，付款人资格认证和其他第三方医疗服务。。

WHY IT MATTERS

为什么重要

Massachusetts-based DMS reported in April 2019 that an unauthorized third party gained access to its network on April 1, 2017, and was active in its system until it deployed ransomware on December 24, 2018.

基于马萨诸塞州的DMS于2019年4月报告说，未经授权的第三方于2017年4月1日访问其网络，并在其系统中活跃，直至2018年12月24日部署勒索软件。

According to OCR, the breach report filed with U.S. Health and Human Services stated that PHI was exposed when its network server was infected with GandCrab ransomware.

根据OCR的说法，向美国卫生与公众服务部提交的违规报告指出，PHI在其网络服务器感染GandCrab勒索软件时暴露出来。

OCR's investigation of the incident under HIPAA Privacy, Security and Breach Notification Rules found evidence of potential failures, insufficient system monitoring to protect against a cyberattack and a lack of HIPAA policies and procedures implementing privacy requirements of the HIPAA

OCR根据HIPAA隐私，安全和违规通知规则对事件进行的调查发现了潜在故障的证据，系统监控不足以防止网络攻击以及缺乏实施HIPAA隐私要求的HIPAA政策和程序

The agency said as a business associate of covered entities, DMS did not have adequate measures in place to protect the confidentiality, integrity and availability of electronic PHI.

该机构表示，作为涵盖实体的业务助理，DM没有采取适当措施保护电子PHI的机密性，完整性和可用性。

'DMS failed to implement procedures to regularly review records of information system activity, such as audit logs, access reports and security incident tracking reports,' HHS said in a statement Tuesday.

HHS在星期二的一份声明中说：“DMS未能实施定期审查信息系统活动记录的程序，例如审计日志，访问报告和安全事件跟踪报告。

Monitoring and numerous other cybersecurity best practices should happen regularly across an enterprise to prevent future attacks, according to OCR Director Melanie Fontes Rainer.

OCR主任Melanie Fontes Rainer表示，监控和许多其他网络安全最佳实践应该在整个企业中定期发生，以防止未来的攻击。

The corrective action plan DMS agreed to identifies the steps it must take to protect ePHI and maintain compliance with HIPAA, which include:

纠正行动计划DMS同意确定保护ePHI和保持遵守HIPAA必须采取的步骤，其中包括：

Review and update its risk analysis to identify the potential risks and vulnerabilities to data within 180 days of the plan's effective date.

审查并更新其风险分析，以确定计划生效日期后180天内数据的潜在风险和漏洞。

Update the company's enterprise-wide risk management plan to address and mitigate any security risks and vulnerabilities found in the approved risk analysis within 90 days of the latter's approval.

更新公司的企业范围风险管理计划，以解决和减轻后者批准后90天内批准的风险分析中发现的任何安全风险和漏洞。

Review and revise written policies and procedures to comply with HIPAA within 60 days from the approval of the updated risk management plan.

在更新的风险管理计划批准后的60天内审查并修改书面政策和程序以遵守HIPAA。

Provide each workforce member who has access to PHI with training on approved HIPAA policies and procedures within 60 days and then every 12 months.

在60天内，然后每12个月，为每位可以获得PHI培训的员工提供有关已批准的HIPAA政策和程序的培训。

DMS must provide annual reports on compliance with the three-year CAP.

DM必须提供有关遵守三年上限的年度报告。

THE LARGER TREND

更大的趋势

'Over the past four years, there has been a 239% increase in large breaches reported to OCR involving hacking and a 278% increase in ransomware,' according to HHS. Hacking has already increased 60% from last year, according to OCR, affecting more than 88 million individuals in 2023.

For several years, the cybersecurity practices of business associates have been known to cause healthcare data breaches.

多年来，已知业务伙伴的网络安全实践会导致医疗保健数据泄露。

GandCrab targeted older Windows PCs no longer supported by Microsoft with Server Message Block vulnerabilities.

GandCrab不再支持具有服务器消息块漏洞的旧Windows PC。

SMB allowed Microsoft Windows computers to share files, serial ports and printers across a network on legacy systems. Using the National Security Agency EternalBlue exploit – the same hacking tools used in WannaCry and Petya – GandCrab spread through spam email, fake software cracking sites and malicious WordPress sites..

SMB允许Microsoft Windows计算机在传统系统上跨网络共享文件，串行端口和打印机。使用国家安全局EternalBlue开发-与WannaCry和Petya-GandCrab中使用的相同的黑客攻击工具通过垃圾邮件电子邮件，虚假软件破解站点和恶意文字按压站点传播。。

'If we are lazy about patching and upgrading our systems sector-wide, GandCrab will be (somewhat) problematic for the healthcare sector,' said Lee Kim, HIMSS senior principal of cybersecurity and privacy.

HIMSS网络安全和隐私高级首席执行官Lee Kim说：“如果我们懒惰在整个行业修补和升级我们的系统，那么GandCrab将对医疗保健领域产生（有些）问题。

'But, it’s not the 1990s anymore and many healthcare organizations are a bit more proactive with their cybersecurity programs,” she told Healthcare IT News in July 2018.

“但是，这不再是20世纪90年代，许多医疗机构对他们的网络安全计划更加积极，”她在2018年7月告诉healthcare-it新闻。

Third-party cybersecurity risks from business associates like DMS have required healthcare organizations to prioritize security in procurement, review every contract regularly, deploy identity and access management software throughout networks and systems, implement best practices for cyber hygiene and much more..

来自DM等业务伙伴的第三方网络安全风险要求医疗机构在采购中优先考虑安全性，定期审查每个合同，在整个网络和系统中部署身份和访问管理软件，实施网络卫生的最佳实践等等。。

ON THE RECORD

记录在案

'Our settlement highlights how ransomware attacks are increasingly common and targeting the healthcare system,' Rainer said in the HHS announcement. 'This leaves hospitals and their patients vulnerable to data and security breaches.

莱纳在HHS公告中说：“我们的解决方案突出了勒索软件攻击是如何日益普遍并针对医疗保健系统的。”这使得医院及其患者容易受到数据和安全漏洞的影响。

'In this ever-evolving space, it is critical that our healthcare system take steps to identify and address cybersecurity vulnerabilities, along with proactively and regularly review risks, records and update policies,' she added.

她补充说：“在这个不断发展的领域，我们的医疗系统必须采取措施识别和解决网络安全漏洞，并积极主动地定期审查风险，记录和更新政策。

Andrea Fox is senior editor of Healthcare IT News.

Andrea Fox是Healthcare IT News的高级编辑。

Email: afox@himss.orgHealthcare IT News is a HIMSS Media publication.

电子邮件：afox@himss.orgHealthcareIT新闻是HIMSS媒体出版物。