The prevalence of ransomware attacks is increasing. In fact, “[o]n average, more than 4,000 ransomware attacks have occurred daily since January 1, 2016,” according to a recent interagency government report. Given this known threat, contingency planning by hospitals becomes even more important. This week, the Office of the Inspector General (OIG) released the results of its study of Electronic Health Record (EHR) Contingency Plans at a sample of 400 hospitals that received Medicare incentive payments for using a certified EHR System as of September 2014.
OIG studied the hospitals’ contingency plans for the HIPAA requirements (existence of a data backup plan, a disaster recovery plan, an emergency-mode operations plan and testing and revision procedures.) OIG found that nearly all hospitals questioned had written EHR contingency plans and almost two-thirds addressed all four HIPAA requirements. In addition, OIG assessed whether hospitals implemented the recommended practices from the National Institute of Standards and Technology (NIST) and the Office of the National Coordinator for Health IT (ONC) on contingency planning. OIG found that the hospitals surveyed generally implemented many practices recommended by ONC and NIST for EHR contingency plans.
Importantly, the study also revealed that 59 percent of the hospitals surveyed reported an unplanned EHR disruption making their EHR systems unavailable to staff in the preceding year. This number is especially high given the fact that the recent interagency government report cites a “300 percent increase over the approximately 1,000 attacks per day seen in 2015.” Thus, the percentage of hospitals experiencing unplanned EHR disruptions may be even higher today. Of the 60 percent of surveyed hospitals reporting unplanned disruptions, the largest causes of the disruptions were hardware malfunction/failure (59 percent) and internet connectivity problems (44 percent). The chart below provides the complete breakdown of the reported causes for EHR disruptions among the respondent hospitals.
More concerning is the fact that about a quarter of those hospitals that reported having experienced an unplanned EHR disruption also reported that delayed patient care resulted from the disruption and 15 percent rerouted patients because of the disruption. This data underscores OIG’s prior work showing that many hospitals experienced significant challenges in responding to Superstorm Sandy which “included damage to health information systems and curtailed access to patient medical records. In response to its findings, OIG reiterated its previous recommendation that OCR institute a permanent audit program to assess compliance with HIPAA requirements.
Importantly, this report comes on the heels of OCR’s recent Fact Sheet on Ransomware and HIPAA where OCR acknowledged the rapid increase in ransomware attacks and explained that when data is encrypted by a ransomware attack a breach has taken place because ePHI encrypted by the ransomware there has been an unauthorized taking of the information, thus, a disclosure has occurred that is not permitted under the HIPAA Privacy Rule. OCR advised that unless a low probability of compromise of the data can be established a breach is presumed to have occurred and the entity must comply with applicable breach notification provisions.
The bottom line is that, unfortunately, ransomware attacks have become part of our new normal, and OCR, OIG and other government agencies are attempting to address this rapidly expanding threat.