The recent Ransomware attack on Hollywood Presbyterian Medical Center virtually shut down the hospital. By forcing MRI, CT scan, electronic medical records and some laboratory work off line, this attack highlights how cybersecurity vigilance is critical to the care of patients whose health or lives may depend on those systems.
Hollywood Presbyterian was hit with a Ransomware attack, in which malware was introduced into the systems and the attackers demanded 9000 Bitcoin, or slightly more than $3.6 million. Patients stable enough to be moved were transferred to other hospitals, and the staff was forced to resort to such 1970’s methods as paper, telephones and telefax machines to care for the remaining patients.
In the wake of the attack, the hospital may face significant legal and regulatory exposure. As with any cyber attack, but particularly one that may have placed patients at risk, the analysis by state and federal government agencies and counsel for patients claiming injury as a result of delayed treatment when the systems went down, will be retrospective. Questions will include whether the hospital had recently tested vulnerability to cyber attacks, documented the assessment, and made attempts to mitigate the risk. Its security policies and training on those policies will also be the subject of inquiry.
If personal health data were compromised, the Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services may commence an investigation. In one such investigation in 2014, OCR settled a proceeding for $150,000 against Anchorage Community Mental Health Services (AMCHS) in the wake of a cyber attack for failing to have updated security policies and a current security risk assessment. The total cost to AMCHS was, of course, much higher when one factors in legal fees and consultant’s’ fees in preparing and implementing the required Corrective Action Plan.
cybersecurity compliance, as the attack on Hollywood Presbyterian indicates, goes beyond safeguarding the contents of medical records. In this age of connected and other on-line medical equipment, it directly impacts patient safety. If you have questions regarding cybersecurity requirements and patient safety issues, please contact Kenneth N. Rashbaum.