On June 9, 2021, the Office of Civil Rights (OCR) shared a cyber-alert containing important updates on how companies can protect their operations from ransomware attacks. The guidance comes from the White House and Cybersecurity and Infrastructure Security Agency. The memo, entitled “What We Urge You To Do To Protect Against The Threat of Ransomware,” addresses the increased frequency and magnitude of ransomware incidents, calling upon the private sector to join the government’s efforts to protect organizations from the growing threat of such attacks.
This memo comes on the heels of President Biden’s Executive Order to improve the nation’s cybersecurity and protect federal government networks — further indicating the prioritization of cybersecurity in the federal government and private entities. In conjunction with providing essential guidance to private entities, the memo also highlights the government’s efforts to develop cohesive and consistent policies towards ransom payments, enable rapid tracing and interdiction of virtual currency proceeds, and work with the international community to hold countries that harbor ransomware actors accountable.
Providing concrete steps private entities can follow, the memo urges companies to do the following to increase cybersecurity: (1) implement the five best practices from the President’s Executive Order, including, for example,: multifactor authentication and data encryption, (2) back up data, regularly test systems and keep backups offline, (3) update and patch systems promptly, (4) test incident response plans, (5) evaluate organizational security team’s practices by using a third-party tester to determine cybersecurity readiness, and (6) segment company networks so that if a network is compromised, the harm is mitigated.
While the memo provides vital and timely guidance on cybersecurity practices to private entities, it generally carries no binding effect. However, the non-binding nature of the memo should not create a false sense of reduced responsibility. OCR has demonstrated that it will collect large monetary settlements from regulated entities that fail to appropriately safeguard their networks and systems from cyberattacks. For example, OCR settled a data breach with CHSPSC LLC (CHSPSC) after information technology (IT) provider permitted hackers to access healthcare provider IT information with compromised administrative credentials. CHSPSC agreed to pay $2.3 million to settle this matter. OCR’s investigation found a history of “systemic noncompliance” with HIPAA security rules by CHSPSC, despite express warning of attempt hacking from the FBI. “The health care industry is a known target for hackers and cyberthieves. The failure to implement the security protections required by the HIPAA Rules, especially after being notified by the FBI of a potential breach, is inexcusable,” said Severino.
We will continue to report on any additional guidance provided by OCR as they seek to aid the government in cybersecurity efforts across the public and private sectors. Should you have any questions related to cybersecurity best practices, potential liability, or OCR guidance, please do not hesitate to reach out to the health care attorneys at Reed Smith.
This post was co-authored by Marquan Robertson, a Reed Smith summer associate.