Caution: Analyze your risks, or pay the price. The benefits of technology to healthcare are undeniable, from new clinical tools to artificial intelligence to EHRs. But with more work and patient interaction performed digitally, cybersecurity has become a top priority — and phishing is on the feds’ radar, a recent settlement suggests. Details: On Dec. 7, 2023, the HHS Office for Civil Rights (OCR) settled its first investigation of a phishing cyberattack. Louisiana-based Lafourche Medical Group, which specializes in emergency care, occupational medicine, and lab testing, identified an email phishing scheme that had impacted 34,862 individuals’ electronic protected health information (ePHI) and filed a HIPAA breach in March 2021. OCR investigated and uncovered that Lafourche had “failed to conduct a risk analysis to identify potential threats or vulnerabilities to electronic protected health information across the organization as required by HIPAA,” a release noted. “OCR also discovered that Lafourche Medical Group had no policies or procedures in place to regularly review information system activity to safeguard protected health information against cyberattacks,” the agency said.
Lafourche agreed to pay OCR $480,000 in fines and enter into a two-year corrective action plan (CAP) to resolve the investigation. A large part of the organization’s CAP includes devising a compliance program, implementing risk analysis practices, and training staff. “Phishing is the most common way that hackers gain access to health care systems to steal sensitive data and health information,” said OCR Director Melanie Fontes Rainer in the release. “It is imperative that the healthcare industry be vigilant in protecting its systems and sensitive medical records, which includes regular training of staff and consistently monitoring and managing system risk to prevent these attacks. We all have a role to play in keeping our health care system safe and taking preventive steps against phishing attacks.” Resource: View the release, which includes links to the resolution, at www.hhs.gov/about/news/2023/12/07/hhs-office-for-civil-rights-settles-first-ever-phishing-cyber-attack-investigation.html.