Create A Cyber Risk Management Plan Before There Is A Breach

October 17, 2024

Green Ridge Behavioral Health, LLC (Green Ridge) in Maryland recently agreed to settle a lawsuit brought against it by the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

In February 2021, Green Ridge filed a breach report with OCR stating that its network server had been infected with ransomware and that company files and patient electronic health records were encrypted. The ransomware attack allegedly compromised the protected health information of more than 14,000 patients.

An OCR investigation "found evidence of potential violations of the HIPAA Privacy and Security Rules leading up to and at the time of the breach."

Investigators also determined that Green Ridge failed to analyze the "potential risks and vulnerabilities to electronic protected health information"; implement security measures to reduce them; and sufficiently monitor system activity to protect against a cyberattack.

Green Ridge agreed to pay $40,000 and implement a corrective action plan that includes conducting a comprehensive and thorough analysis of these potential risks and vulnerabilities; creating a Risk Management Plan to address and mitigate them; revising its policies and procedures to comply with HIPAA, as necessary; training staff on HIPAA policies and procedures; auditing third-party arrangements; and reporting HIPAA violations to OCR.

OCR will monitor implementation of the plan for three years.

This is the second settlement reached between OCR and "a HIPAA regulated entity for potential violations identified during an investigation following a ransomware attack." "HHS' Office for Civil Rights Settles Second Ever Ransomware Cyber-Attack" www.hhs.gov (Feb. 21, 2024).

Commentary

In the source material, one of the many settlement provisions was Green Ridge creating a "Risk Management Plan" to address data risks.

Organizations of all types can benefit from implementing a cyber risk management plan before there is a breach. This would involve conducting a risk assessment; implementing risk mitigation strategies; and continually monitoring the security of the information system.

A risk assessment may include threat modeling and analyzing vulnerabilities through static code analysis and network, host, and database scanning. Continuously evaluate the effectiveness of security control measures. "CMS Cyber Risk Management Plan (CRMP)" security.cms.gov (Mar. 27, 2023).

Work with your IT team or a skilled third party to conduct a risk assessment and create a cyber risk management plan to help protect your organization from a ransomware attack.

Finally, your opinion is important to us. Please complete the opinion survey:

Product

Articles

Ask Leslie: What Should We Do With Attorney Demand Letters?

An employer asks Leslie Zieren, Esq. what to do with a letter received from a former employee's attorney.

Return-To-Work Litigation Traps, Rehiring EEOC Complainants, $65M Data/Nude Image Settlement, AI And Future Of Work And More

McCalmon attorneys tackle return-to-work exposures; rehiring employees who sue employers; $65M data breach settlement and more.

Steps For Choosing A Forensic Auditor

Healthcare employers with strong financial oversight and audits can avoid risks to finances and patients. Read about forensic audits.

Foreign Rules On Travel Continue To Change: What Should Employers Consider

Travelers visiting other countries for business or pleasure should be aware the rules in foreign countries and cities are varied and can change.

Parents In Gen Z Interviews, Update On FTC's Non-Compete Rule, $2.78M Privacy Verdict, And More

FTC non-compete update, $10.5M no-poach settlement, $2.78M hidden video privacy verdict, parents attending Gen Z interviews, and more.