Pulmonology Coding Alert

HIPAA:

OCR Warns Entities About Prioritizing Cybersecurity

Key stakeholders met to discuss ‘interconnectedness’ of U.S. healthcare system.

With reports suggesting that UnitedHealth Group (UHG) forked over more than $22 million to Russian hackers Blackcat to alleviate the fallout from a cyberattack on its subsidiary Change Healthcare, it was only a matter of time before the feds launched an investigation into the payer’s and provider’s security practices.

Learn how federal agencies are handling the cyberattack and what it could mean for practices and providers moving forward.

Feds Convene With Industry Leaders Over the Cyber Incident

On March 12, Department of Health and Human Services (HHS) Secretary Xavier Becerra, other federal leaders, and healthcare stakeholders held a meeting to “discuss concrete actions to mitigate harms to patients and providers caused by the cyberattack on Change Healthcare,” HHS notes in a release.

The readout of the meeting lists Biden administration participants and stakeholders, which included industry organizations like the AMA and the American Hospital Association as well as payers like Humana and companies like CVS Health. The group reviewed what HHS and other federal agencies had already done to circumvent the ongoing cyberattack; however, concerns were also aired by stakeholders on how to move forward.

Federal administrators warned of the critical need to coordinate efforts to make cybersecurity a priority across the industry. In fact, White House Deputy National Security Advisor (DNSA) for Cyber and Emerging Technologies Anne Neuberger mentioned “the interconnectedness of the domestic health care ecosystem and the urgency of strengthening cybersecurity resiliency across the sector,” the release says.

OCR Tackles Accountability and Security

On March 13, the HHS Office for Civil Rights (OCR) issued a “Dear Colleagues” letter in regard to the Change Healthcare cybersecurity incident that began on Feb. 21 — and how it intended to address it as an enforcement agency. The UHG cyberattack “that is disrupting health care and billing information systems nationwide ... poses a direct threat to critically needed patient care and essential operations of the health care industry,” says HHS Office for Civil Rights (OCR) Melanie Fontes Rainer in the letter. OCR oversees HIPAA enforcement.

“Given the unprecedented magnitude of this cyberattack, and in the best interest of patients and health care providers, OCR is initiating an investigation into this incident,” Fontes Rainer continues. “OCR’s investigation of Change Healthcare and UHG will focus on whether a breach of protected health information occurred and Change Healthcare’s and UHG’s compliance with the HIPAA Rules.”

Watch out: “While OCR is not prioritizing investigations of health care providers, health plans, and business associates that were tied to or impacted by this attack, we are reminding entities that have partnered with Change Healthcare and UHG of their regulatory obligations and responsibilities,” Fontes Rainer stresses in the letter. That includes “ensuring that business associate agreements are in place and that timely breach notification to HHS and affected individuals occurs as required by the HIPAA Rules.”

Enforcing accountability for BAs’ security failures is going to be crucial as security incidents are on the rise, experts say.

“Over the past five years, there has been a 256 percent increase in large breaches reported to OCR involving hacking and a 264 percent increase in ransomware,” HHS says in a March 13 release about the investigation. “In 2023, hacking accounted for 79 percent of the large breaches reported to OCR. The large breach reported in 2023 affected over 134 million individuals, a 141 percent increase from 2022,” HHS stresses.

Tip: Providers should keep in mind that this will be far from the last cyberattack in the healthcare arena, says accounting and advisory firm Dean Dorton, which merged with VonLehman & Co. as of Jan. 1. This attack has “implications for everyone, suggesting that the future of healthcare cybersecurity will be even more difficult and destructive than in the past,” the firm says in online analysis.

Investing in cybersecurity infrastructure, conducting regular security audits and risk assessments, and implementing ongoing cybersecurity training programs for all employees will help you protect your systems, the firm advises.

Bottom line: “Healthcare has traditionally been less sophisticated when it comes to information security … [but] now is the time to get serious about protecting systems, because lives and institutions are at stake,” notes HIPAA expert Jim Sheldon-Dean, founder and director of compliance services at Lewis Creek Systems LLC in Charlotte, Vermont.

Resources: View OCR’s “Dear Colleagues” letter at www.hhs.gov/about/news/2024/03/13/hhs-office-civil-rights-issues-letter-opens-investigation-change-healthcare-cyberattack.html.