Fraud Management & Cybercrime
,
Healthcare
,
Industry Specific
Nearby College’s Health Sciences Center Is Also Experiencing an IT Outage
University Medical Center – a Lubbock, Texas-based public health system that includes a level-one trauma center and a children’s hospital – is diverting ambulances as it works to restore an IT outage affecting some patient services in the wake of a ransomware attack late last week.
See Also: Best Practices to Protect Communication and Email Fraud with Technology
UMC’s healthcare facilities including its clinics and physician offices remain open, but certain departments and providers have been on downtime procedures since the incident was detected Thursday, according to a UMC notice posted on its website.
“Patients may encounter delays. Please bring your medical prescriptions list with you,” UMC said. Non-emergency laboratory and radiology appointments are also being delayed. “Access to clinics via phones and the portal are not guaranteed, so please come to the clinic for immediate assistance,” the notice said.
“Additionally, and out of an abundance of caution, we are temporarily diverting incoming emergency and non-emergency patients via ambulance to nearby health facilities until we restore access to our systems,” UMC said. “If you have questions about an upcoming appointment, please call or check with your provider.”
UMC said it does not have an estimated timeline for full restoration of services. “We have implemented downtime procedures and accommodations wherever possible in order to minimize any disruption to our patients and our critical services. We continue to carefully evaluate our operations with patient safety in mind. We will only restore services once it is deemed safe to do so.”
UMC is also the primary teaching hospital for nearby Texas Tech University Health Sciences Center, which is also experiencing an IT outage.
It is unclear whether the two incidents are related. Neither UMC nor TTUHSC immediately responded to Information Security Media Group’s requests for details about their outages.
TTUHSC in a Facebook post Monday said it was “working through an IT issue” and that until further notice, team members and students will not be able to access TTUHSC electronic resources.
“On Sept. 30, there will be limited clinical operations and no academic operations at TTUHSC campuses and sites. Supervisors will be in contact with team members regarding who needs to report for work,” TTUHSC said.
Under Scrutiny
UMC is among the latest health systems experiencing ransomware attacks in recent weeks and months disrupting patient care services.
Missouri-based hospital chain Ascension and Michigan-based McLaren Health System suffered ransomware attacks in May and August, respectively, resulting in IT outages affecting clinical systems, such as electronic health records, being offline for several weeks.
Regulators and lawmakers are intensifying their scrutiny of healthcare organizations that fall victim to such incidents, especially following the February ransomware attack on Change Healthcare, which disrupted thousands of healthcare sector entities for weeks.
Over the past two years, the U.S. Department of Health and Human Services has been fining organizations for breaches caused by ransomware attacks. DHS issued its fourth enforcement action to date against HIPAA-regulated organizations following an investigation into a ransomware incident.
HHS’ Office for Civil Rights levied a $250,000 financial penalty and corrective action plan against Washington state-based Cascade Eye and Skin Centers in the wake of a ransomware breach that affected 291,000 files containing electronic-protected health information.
HHS OCR’s investigation into the incident found that Cascade Eye and Skin Centers failed to conduct a HIPAA security risk analysis. This analysis would have identified potential risks and vulnerabilities to ePHI in its systems. The center also lacked sufficient monitoring of its health information systems’ activity to protect against a cyberattack.
Cascade Eye and Skin Centers agreed to pay the financial penalty and implement a series of measures to improve its security and privacy practices around PHI under the settlement with HHS OCR. This includes developing policies and procedures for responding to an emergency or other occurrence that damages systems that contain ePHI.
“Cybercriminals continue to target the heathcare sector with ransomware attacks,” said Melanie Fontes Rainer, director of OCR at the U.S. DHHS, in a statement. “Healthcare entities that do not thoroughly assess the risks to electronic-protected health information and regularly review the activity within their electronic health record system leave themselves vulnerable to attack and expose their patients to unnecessary risks of harm,” she said.
“Ensuring the confidentiality of electronic-protected health information is critical to protect health information privacy and integral to our national security in the healthcare sector.”
Meanwhile, last week two Democrat lawmakers – Senate Finance Committee Chair Ron Wyden, D-Ore., and Sen. Mark Warner, D-Va. – unveiled legislation proposing stricter security mandates for healthcare sector entities, especially those that are considered critical to national security (see: Healthcare Cyber Bill Calls for Corporate Accountability).
The Health Infrastructure Security and Accountability Act is the latest bill aiming to help prevent healthcare sector organizations from falling victim to highly disruptive cybersecurity attacks and related major data breaches.