May 2024

OCR Continues Prioritizing Protecting Health Info & Systems Against Ransomware & Other Hacking Threats; Plans $50M Investment To Develop Cybersecurity Tools

May 20, 2024

Responding to concerns heightened by a series of health industry cybersecurity incidents disrupting patient health care and privacy resulting from unpatched systems and devices like those recently experienced by UnitedHealthcare Group subsidiary Change Health, Ascension Healthcare and other health industry organizations, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) is making safeguarding PHI a top priority. Along with the growing series of guidance packages, enforcement, audit and other efforts, OCR and the Advanced Research Projects Agency for Health (“ARPA-H”) are investing more than $50 million to help develop tools to help hospital and clinic IT teams better protect their health information record systems and patients from ransomware and other cyberattacks.

OCR Responds To Care Disruptions From Health Industry Ransomware Attack

In September, 2021, OCR clearly warned health care providers, health plans, healthcare clearinghouses and their business associates (“covered entities”) to protect their health information systems and electronic protected health information against ransomware, hacking and similar outside threats by publishing its Fact Sheet: Ransomware and HIPAA as well as through a growing list of hacking and ransomware related resolution agreements. See e.g. HHS’ OCR Settles HIPAA Investigation with Phoenix Healthcare; HHS’ Office for Civil Rights Settles Malicious Insider Cybersecurity Investigation for $4.75 Million; HHS’ Office for Civil Rights Settles Ransomware Cyber-Attack Investigation with Doctors’ Management Services; HHS Office for Civil Rights Settles with L.A. Care Health Plan Over Potential HIPAA Security Rule Violations; HHS Office for Civil Rights Settles HIPAA Investigation with iHealth Solutions Regarding Disclosure of Protected Health Information on an Unsecured Server for $75,000; HHS Office for Civil Rights Settles HIPAA Investigation with Arkansas Business Associate MedEvolve Following Unlawful Disclosure of Protected Health Information on an Unsecured Server for $350,000; HHS Office for Civil Rights Settles HIPAA Investigation with Arizona Hospital System Following Cybersecurity Hacking; Oklahoma State University – Center for Health Services Pays $875,000 to Settle Hacking Breach.

While OCR historically waited to publicly respond to these and other massive breaches until its announcement of resolution agreements reached after years’ long investigations of these massive breaches, the massive disruptions in patient care resulting from the February, 2024, UHG Breach prompted OCR to act quickly. Just weeks after UHG first announced the February 23, 2024, ransomware attack and before receiving a breach report from UHG or Change Health, OCR announced its opening of an investigation and issued its March 13, 2024 Dear Colleague letter. See e.g., HHS Office for Civil Rights Issues Letter and Opens Investigation of Change Healthcare Cyberattack. In the March 13, 2024, Dear Colleague letter:

Confirmed OCR’s opening and prioritization of an investigation of Change Healthcare and UnitedHealth Group focused on whether a breach of protected health information (PHI) occurred and on the entities’ compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Rules because of the cyberattack’s unprecedented impact on patient care and privacy.
Confirmed that OCR anticipates that it eventually also will conduct secondary investigations of the HIPAA compliance of covered entities that have business associate relationships with Change Healthcare and UHG, and those organizations that are business associates to Change Healthcare and UHG.; and
Reminded all of these partner entities of their HIPAA obligations to have business associate agreements in place and to ensure that timely breach notification to the Department of Health and Human Services (HHS) and affected individuals occurs.

Subsequently, OCR has shared additional guidance on its expectations for covered entity response to the UHG Breach in its Change Healthcare Cybersecurity Incident Frequently Asked Questions page (“FAQ”}. Among other things, the FAQ reminds covered entities that its OCR’s ransomware guidance provides specific information on the steps covered entities and business associates should take to determine if a ransomware incident is a HIPAA breach and confirming that OCR will presume a breach of electronic protected information occurred and that a covered entity is required to provide notification unless a covered entity impacted by the breach can demonstrate its investigation proves a “…low probability that the PHI has been compromised,” based on the factors in the Breach Notification Rule.

Since UHG has indicated it may be months before its can restore its systems sufficiently to determine the identities of the individuals whose protected health information was breached and other relevant data,he FAQ also provides guidance to covered entities about options for making breach reports given the existing uncertainty of the information available from UHG currently.

These and other actions by OCR in response to the UHG breach send a strong message to all covered entities OCR’s readiness to act zealously against covered entities that fail to take appropriate steps to safeguard their health information systems and data against ransomware and other hacking.

UPGRADE Program To Fund Development of Hospital & Clinic Cybersecurity Tools

OCR and ARPA-H’s May 20, 2024 announcement of plans to invest $50 million investment in heath industry cybersecurity under the ARPA-Hs’s new Universal Patching and Remediation for Autonomous Defense (“UPGRADE”) program reflects HHS is moving to help covered entities to fulfill their HIPAA responsibilities along with vigorously investigating large ransomware and hacking related breaches at covered entities. According to the May 20, 2024 announcement, ARPA-H will solicit proposals for the development of tools to effectuate the UPGRADE program in four technical areas: creating a vulnerability mitigation software platform, developing high-fidelity digital twins of hospital equipment, auto-detecting vulnerabilities, and auto-developing custom defenses.

HHS ARPA-H established the UPGRADE program in recognition that cyberattacks that disrupt hospital or clinic operation can impact patient care or even lead to facility closure. The establishment of the UPGRADE program recognizes that complexities of the software systems used in a given health care facility, the number and variety of internet-connected devices unique to each facility, disruptions caused by taking critical pieces of hospital infrastructure offline for updates, and other unique challenges impacting hospitals often delay development and deployment of software fixes. These and other complexities and challenges often leave actively supported devices in hospitals and clinics vulnerable for over a year and unsupported legacy devices vulnerable far longer.

The ARPA-H’s UPGRADE program is tasked with developing tools to reduce the effort it takes to secure hospital equipment and ensure devices are safe and functional so that health care providers can focus on patient care. HHS anticipates that the UPGRADE platform will enable proactive evaluation of potential vulnerabilities by probing models of digital hospital environments for weaknesses in software. Once a threat is detected, a remediation (e.g., patch) can be automatically procured or developed, tested in the model environment, and deployed with minimum interruption to the devices in use in a hospital. HHS hopes the UPGRADE program will ‘speed the time from detecting a device vulnerability to safe, automated patch deployment down to a matter of days, providing confidence to hospital staff and peace of mind to the people in their care.

The UPGRADE program adds a new element to ARPA-H’s ongoing digital health care security efforts. It Digital Health Security Initiative, DIGIHEALS, launched last summer focuses on securing individual applications and devices. ARPA-s also recently partnered with the Defense Advanced Research Projects Agency for the Artificial Intelligence Cyber Challenge, or AIxCC, a prize competition to secure open-source software used in critical infrastructure.

The UPGRADE program aims to secure whole systems and networks of medical devices to ensure solutions can be employed at scale. Multiple awards under this solicitation are anticipated. To learn more about UPGRADE, including information about the draft solicitation, virtual Proposers’ Day registration, and how to state interest in forming an applicant team, visit the UPGRADE program page. For more information on HHS’ Cybersecurity Performance Goals and HHS’ cybersecurity work, visit HHS Cybersecurity Gateway.

Other OCR Cybersecurity Guidance & Tools

Safeguarding protected health information is a top OCR priority. Before announcing the UPGRADE program, OCR already has provided a growing list of resources to help entities protect their record systems and patients from cyberattacks, including:

OCR HIPAA Security Rule Guidance Material – This webpage provides educational materials to learn more about the HIPAA Security Rule and other sources of standards for safeguarding electronic protected health information. Materials include a Recognized Security Practices Video, Security Rule Education Paper Series, HIPAA Security Rule Guidance, OCR Cybersecurity Newsletters, and more.
OCR Video on How the HIPAA Security Rule Protects Against Cyber-Attacks – This video educates the health care industry on real world cyber-attack trends from OCR breach reports and investigations and explores how implementation of HIPAA Security Rule safeguards can help detect and mitigate common cyber-attacks. Topics include OCR breach and investigation trend analysis, common attack vectors, OCR investigations of weaknesses that led to or contributed to breaches, and how Security Rule compliance can help regulated entities defend against cyber-attacks.
OCR HIPAA Risk Analysis Webinar – This webinar discusses the HIPAA Security Rule Risk Analysis discusses the HIPAA Security Rule requirements for conducting an accurate and thorough assessment of potential risks and vulnerabilities to electronic protect health information and reviews common risk analysis deficiencies OCR has identified in its investigations.
HHS Security Risk Assessment Tool – This tool is designed to assist small- to medium-sized entities in conducting an internal security risk assessment to aid in meeting the security risk analysis requirements of the HIPAA Security Rule.
Factsheet: Ransomware and HIPAA – This resource provides information on what is ransomware, what covered entities and business associates should do if their information systems are infected, and HIPAA breach reporting requirements.
Healthcare and Public Health (HPH) Cybersecurity Performance Goals – These voluntary, healthcare-specific cybersecurity performance goals can help healthcare organizations strengthen cyber preparedness, improve cyber resiliency, and protect patient health information and safety.
Ransomware Guidance – OCR’s ransomware guidance provides specific information on the steps covered entities and business associates should take to determine if a ransomware incident is a HIPAA breach. The HIPAA Rules define a breach as “…the acquisition, access, use, or disclosure of [PHI] in a manner not permitted under the HIPAA Privacy Rule, which compromises the security or privacy of the PHI.” See 45 CFR 164.402. Whether the presence of ransomware would be a breach under the HIPAA Rules is a fact-specific determination.

In the face of these developments, hospitals and clinics, as well as other covered entities should timely complete documented risk assessments of their exposures and diligent, well-documented and reasoned efforts to ensure their systems are timely and appropriately implemented and updated timely to incorporate all necessary software patches and other processes needed to defend against ransomware and other hacking.

For More Information

We hope this update is helpful. For more information about these or other health or other legal, management, or public policy developments, please get in touch with the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee and Vice-Chair Elect of its International Employment Law Committee, Chair-Elect of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership on heath benefit and other healthcare and life science, managed care and insurance and other workforce and staffing, employee benefits, safety, contracting, quality assurance, compliance and risk management, and other legal, public policy and operational concerns in the healthcare and life sciences, employee benefits, managed care and insurance, technology and other related industries. She speaks and publishes extensively on these and other related compliance issues.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Author of a multitude of highly regarded publications on HIPAA and other medical record and data privacy and scribe for the ABA JCEB Annual Meeting with the HHS Office of Civil Rights, her experience includes extensive involvement throughout her career in advising health care and life sciences and other clients about preventing, investigating and defending EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state discrimination investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state equal opportunity, equity and other laws.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Laws Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here, such as:

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

NOTICE: These statements and materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstances at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules make it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access to this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

Leave a Comment » | data breach, Health Care, HIPAA, PHI, ransomware | Tagged: cybersecurity, healthcare, HIPAA, Privacy, Security | Permalink
Posted by Cynthia Marcotte Stamer

Cleveland Clinic Foundation Pays $7.6M To Settle FCA Charges Relating To NIH Grants

May 20, 2024

The Cleveland Clinic Foundation (“CCF”) has agreed to pay $7,600,000 to resolve allegations that it violated the False Claims Act (“FCA”) by submitting to the National Institutes of Health (“NIH”) federal grant applications and progress reports in which CCF failed to disclose that a key employee involved in administering the grants had pending and/or active financial research support from other sources.

The settlement resolves allegations that CCF made false statements to NIH, a component of the Department of Health and Human Services (“HHS”), in connection with three federal grant awards. Despite NIH requirements to do so, federal officials charged CCF repeatedly failed to disclose that the employee who it designated as the Principal Investigator on each grant had pending and/or active grants from foreign institutions that provided financial assistance to support the employee’s research and already obligated that employee’s research time. CCF falsely certified that the grants submissions were true and accurate. The settlement also resolves allegations that CCF violated NIH password policies by permitting CCF employees to share passwords. Some of the false submissions wherein CCF failed to disclose the Principal Investigator’s foreign grant support were made by CCF employees who were inappropriately given access to NIH’s online grant reporting platform.

NIH requires full transparency in applications and throughout the life of the grants it awards. This includes a requirement that grant applicants disclose all sources of research support, from any source, on grant applications and on follow-up documents relating to grant awards. NIH uses this information to determine if the applicant has the time necessary to allocate to the proposed research project, and if the research proposal has other sources of funding that are duplicative. It also assists NIH in determining if an applicant’s financial interests may affect its objectivity in conducting research.

Under the Cleveland Clinic Settlement Agreement, CCF will pay $7.6 million settlement and be subject to additional NIH imposed Specific Award Conditions on all CCF’s grants for a one-year period.

Federal regulations allow NIH to impose Specific Award Conditions on grant recipients, including on recipients that do not comply with the terms of a federal award. In this case, NIH is requiring a high-level CCF employee to personally attest to the truth, completeness, and accuracy of all “other grant support” information CCF provides to NIH. CCF must also develop a corrective action plan that includes an assessment of internal controls related to other grant support and foreign-component reporting; create a mandatory training program addressing requirements for disclosing other grant support, research security, and cyber security; and develop an improvement plan for its internal controls, ensuring that CCF has oversight at the institutional level to confirm that the information its Principal Investigators disclose is true, complete, and accurate, among other requirements. The Specific Award Conditions will begin Oct. 1, 2024, and remain in effect through Sept. 30, 2025, or until NIH is satisfied that CCF has successfully completed the Corrective Action Plan.

The Department of Justice FCA enforcement and settlement illustrate the importance for researchers receiving NIH grants to ensure the accuracy of information reported in applications and other documentation related to federal grants. U.S. Attorney Rebecca C. Lutzko for the Northern District of Ohio said, “Today’s settlement illustrates the importance of being truthful at every stage of the grants process.”