Boss of Gang Behind Attack on University of Vermont Medical Center Facing 40 Years in Jail
A Ukrainian man accused of leading racketeering groups who conspired to infect thousands of business computers with malware has pleaded guilty in federal court in Nebraska to one count of conspiracy to commit wire fraud and one count of conspiracy to break U.S. anti-racketeering laws. One of the victims, the University of Vermont Medical Center, was infected with ransomware resulting in IT systems being taken offline for more than two weeks. The attack prevented the medical center from providing critical patient services for more than two weeks. The Department of Justice said the attack on the medical center created a risk of death or serious bodily injury for patients and cost the medical center more than $30 million.
Vyacheslav Igorevich Penchukov, 37, aka Vyacheslav Igoravich Andreev and known online as Tank and Father, was accused of leading two cybercriminal groups, JabberZeus and IcedID, between 2009 and 2021. JabberZeus distributed the Zeus banking trojan and IcedID distributed the IcedID banking trojan. Both of these popular malware variants were used to steal usernames, passwords, and other information that allowed access to be gained to online bank accounts.
According to the Department of Justice, “Penchukov and his co-conspirators then falsely represented to banks that they were employees of the victims and authorized to make transfers of funds from the victims’ bank accounts, causing the banks to make unauthorized transfers of funds from the victims’ accounts, resulting in millions of dollars in losses to the victims.” The groups then hired money mules in the United States to receive the fraudulent transfers, withdraw the funds, and then wire the money to overseas accounts under the control of Penchukov and his co-conspirators.
Penchukov was indicted in 2012 for his role in the JabberZeus group and was placed on the Federal Bureau of Investigation’s (FBI) Most Wanted List, where he remained for almost a decade. While on the FBI’s Most Wanted List, Penchukov led the IcedID gang from November 2018 to February 2021. IcedID also infected devices with malware to steal banking information. The IcedID trojan could also be used to deliver other malware payloads, including ransomware, as was the case with the attack on the University of Vermont Medical Center in October 2020.
Penchukov was arrested in Switzerland in 2022 and was extradited to the United States in 2023. On February 15, 2024, Penchukov appeared in court in Lincoln, Nebraska, and pleaded guilty to one count of conspiracy to commit a Racketeer Influenced and Corrupt Organizations (RICO) Act offense for his role in the JabberZeus gang, and one count of conspiracy to commit wire fraud for his role in the IcedID group. Penchukov faces a maximum of 40 years in jail – up to 20 years for each count – and will be sentenced on May 9, 2024.
The post Boss of Gang Behind Attack on University of Vermont Medical Center Facing 40 Years in Jail appeared first on HIPAA Journal.
Connexin Software Proposes Class Action Lawsuit Settlement to Avoid Bankruptcy
Connexin Software, which does business as Office Practicum, has proposed a $4 million settlement to resolve a consolidated class action lawsuit stemming from a 2022 data breach that affected almost 3 million individuals. Office Practicum provides pediatric-specific health information technology solutions to healthcare providers, including electronic health records, practice management software, billing services, and business analytics tools.
On August 26, 2022, Connexin Software said it detected a data anomaly within its internal network and the subsequent forensic investigation confirmed that an unauthorized third party had obtained an offline set of patient data that was used for data conversion and troubleshooting. The compromised data included the protected health information of 2,675,934 patients, the majority of whom were children. The compromised data included names, guarantor names, parent/guardian names, addresses, email addresses, dates of birth, Social Security numbers, health insurance information, medical and treatment information, and billing and claims data.
Several class action lawsuits were filed against Connexin Software shortly after the company announced the breach, nine of which were consolidated into a single class action lawsuit as they all made similar claims, including an alleged failure to implement reasonable and appropriate security measures to protect patient data. Children’s data is particularly valuable to cybercriminals as it can be misused for years. The affected individuals suffered an invasion of privacy and immediate and long-term risks of identity theft, fraud, medical identity theft, misappropriation of health insurance benefits, and other misuses. The plaintiffs argued that the threat actor behind the attack could also sell the data of children to human trafficking groups.
The settlement is in the best interests of all parties concerned. The plaintiffs will be able to claim for reimbursement of out-of-pocket expenses and Connexin Software will avoid further legal costs. Connexin Software explained to the judge when filing the preliminary settlement that if the lawsuit had progressed much further, the company would have no option other than to file for bankruptcy protection.
All parties have agreed to the proposed settlement, which has received preliminary approval from a Pennsylvania federal court judge. The plaintiffs and class members have been given three options: Expanded identity theft protection services for three years and coverage by a $1,000,000 identity theft insurance policy; reimbursement for unreimbursed out-of-pocket expenses up to a maximum of $7,500 per class member; or a flat-fee cash payment, the amount of which will be determined based on the claims received. Connexin Software has also agreed to invest $1.5 million in its information security program to better protect patient data in the future. Attorneys for the plaintiffs and class members are seeking around $1.3 million in fees.
“The parties were well-aware of each other’s strengths and weaknesses by virtue of the court’s ruling on Connexin’s partial motion to dismiss, their exchange of thousands of pages of documents, nearly a dozen depositions, and mediation-related discovery and analysis directed at Connexin’s finances,” states the settlement document. “Rather than prolonging the litigation, plaintiffs have reached a settlement that will immediately provide them and class members with significant benefits for their injuries arising from the data security incident.” The settlement now awaits a final hearing, the date for which has not yet been set.
The post Connexin Software Proposes Class Action Lawsuit Settlement to Avoid Bankruptcy appeared first on HIPAA Journal.
HIPAA Updates: The Obligations Continue to Unfold – Baker Donelson
HIPAA Updates: The Obligations Continue to Unfold Baker Donelson
What is Risk Management in Healthcare?
Risk management in healthcare is the practice of analyzing healthcare practices and processes to identify risks and opportunities, assess their likelihood and potential impact, and implement controls to prevent losses and optimize profitability. Within each organization, the practice of managing risk can be influenced by the nature of the organization’s structure, the organization’s risk culture/appetite, and the resources available to conduct risk analyses.
The Definition of Risk Management in Healthcare
There is no one-size-fits-all definition of risk management in healthcare because a risk in healthcare is defined as the likelihood of a particular threat triggering or exploiting a particular vulnerability, resulting in harm or damage to a patient, an organization, or its workforce. (Abridged from the definition of risk in HHS’ Guidance on Risk Analysis).
Using this definition of risk, the “traditional” definition of risk management in healthcare is the identification, assessment, and minimization of the organization’s exposure to risks in order to improve patient care, reduce liability risks, and prevent financial losses. However, using this definition of risk can lead to the management of risks being conducted by separate business units in “risk silos”.
This can result in a lack of communication, coordination, and oversight which limits the effectiveness of risk management activities. To make risk management in healthcare more effective, there is a growing trend away from risk silos and towards organization-wide “enterprise” risk management in healthcare – defined by the American Society for Healthcare Risk Management (ASHRM) as:
“Enterprise risk management in healthcare promotes a comprehensive framework for making risk management decisions which maximize value protection and creation by managing risk and uncertainty and their connections to total value”.
The ASHRM’s definition of risk management in healthcare suggests that the management of risks should not only serve the “traditional” purpose, but also be used to identify ways in which processes can be improved, healthcare activities can be made more efficient, the demand on healthcare resources can be reduced, and patient satisfaction/workforce retention can be increased.
More about Enterprise Risk Management in Healthcare
The ASHRM’s model for enterprise risk management in healthcare consists of eight “risk domains”. Not all eight domains will apply in all risk scenarios, but it is important for those with the responsibility for managing risks to be aware of the domains and to consider the possibility of risks and opportunities (both value opportunities and opportunities to learn) existing in each domain.
1. Operational
Operational risks occur when a vulnerability in an internal process or system – or an event attributable to human error – affects business operations. Such risks could include a failure in the process for data breach incident response, a failure in a data backup system, or a failure by a workforce member to configure software securely which undermines other security measures.
Analyzing healthcare practices and processes in the operational risk domain might not only identify areas where controls need to be implemented to prevent the risks (i.e. adding failover support to the data backup system), but can also identify opportunities for improvement. For example, building DevSecOps best practices into all application development.
2. Clinical/Patient Safety
The clinical/patient safety domain relates to the delivery of care to patients, residents of care homes, and other recipients of healthcare. Clinical/patient safety risks can include medication errors, surgical mistakes, patient misidentification, hospital acquired conditions, and patient or visitor injuries attributable to slips, trips, and falls or other hazards covered by the OSH Act.
Most potential clinical and patient safety risks are well chronicled, and risk managers should be able to locate risk management checklists that cover these risks. As a note of interest, it was the analyses of clinical and patient safety that led to the Centers for Disease Control and Prevention (CDC) revising its Guidelines for the Prevention of Catheter-Associated Urinary Tract Infections in 2009.
3. Strategic
Strategic risks are risks associated with the focus and direction of the organization and can include the failure to adapt to changing best practices, technologies, and patient priorities, or failing to act quickly enough when regulatory changes occur. These failures can result in losses to competitors, reputational damage, or enforcement action being taken by regulatory authorities.
As well as applying to operational units, the strategic domain in ASHRM’s model for enterprise risk management in healthcare can apply to business units such as managed care partnerships, media relationships, marketing, etc. As well as identifying risks in these units, an effective risk analysis can also identify ways for each unit to operate more efficiently.
4. Financial
In the healthcare industry, the financial sustainability of an organization can be at risk from events theoretically under an organization’s control – such as fraud (both internal and external), malpractice lawsuits, regulatory fines, etc. – and events that are outside of an organization’s control, such as increasing capital equipment costs and interest rates, or unpaid bills.
While it is impossible to implement controls that manage risks outside of an organization’s control, it may be possible to identify ways to mitigate the impact of such events. For example, to mitigate the impact of increasing capital equipment costs and interest rates, it may be better to lease capital equipment on a fixed rate basis – potentially saving thousands of dollars across the organization.
5. Human Capital
An organization’s human capital is its workforce; and, as most healthcare organizations will have experienced during the COVID-19 pandemic, the workforce is the key component of any healthcare organization. As a result, it is important risks to the wellbeing of the workforce are prioritized in order to prevent avoidable illnesses and injuries, low morale, and recruitment costs.
As well as using a risk assessment to identify, assess, and control risks to the workforce, healthcare organizations should use a risk assessment to identify areas in which the wellbeing of the workforce can be enhanced – for example, by implementing policies that encourage members of the workforce to confidentially report workplace violence or sexual harassment.
6. Legal/Regulatory
The legal/regulatory risk domain includes the failure to identify, manage, and monitor compliance with federal, state, and local laws and regulations – for example, a healthcare organization in Dallas would likely have to comply with at least HIPAA, CMS’ conditions for participation in Medicare and Medicaid, OSHA, the Texas Medical Records Privacy Act, and the City of Dallas Fire Code.
When compliance with laws and regulations of this nature are managed in separate risk silos, the danger exists that compliance efforts will be duplicated. When they are managed holistically, similar compliance requirements can be combined to reduce the regulatory burden. In this example, the fire prevention requirements of the Dallas Fire Code, OSHA, and CMS’ conditions are almost the same.
7. Technology
The technology risk domain not only covers software and data, but the systems they run on and the devices on which the systems run. In addition, depending on what enterprise risk management activities are conducted in the operational and strategic domains, the technology risk domain can also cover operational processes and automated decision making technologies.
The potential opportunities in this domain depend on the degree of integration between technologies. For example, patient scheduling software integrated with a practice management system and EHR system can improve the patient experience, accelerate billing and payment processes, and support HIPAA compliant messaging (among other benefits).
8. Hazard
The hazard domain is a catch-all domain for other types of foreseeable risks that could cause business interruption. This domain includes natural disasters and facility issues (i.e. construction, renovation, etc.) and will soon also include hospital preparedness for emerging infection disease epidemics such as the COVID-19 pandemic.
While this domain is a bit of a grey area in terms of risk assessment responsibilities, it provides an opportunity for an organization to demonstrate a commitment to mitigate the impact of risks in the operational, clinical/patient safety, financial, and human capital domains – enhancing an organization’s reputation while protecting its future operational capabilities.
Risk Management Strategies in Healthcare
In its guide to the history of risk management in healthcare and the evolution to enterprise risk management, ASHRM argues the case that every member of a healthcare organization’s workforce is a risk manager – from the housekeeper that ensures the correct germicide is used on the correct surfaces for the correct amount of time to the organization’s CEO.
While it is difficult to disagree with this argument, it is necessary for there to be an oversight of how risks are managed. This involves determining what frameworks, models, and processes are used to identify vulnerabilities, how risks are analyzed in the context of the organization’s risk culture, and what controls are implemented to correspond with the organization’s risk appetite.
However, when risk management strategies in healthcare are executed by separate business units, inconsistencies between the strategies can result in the same frameworks being used in different ways to obtain conflicting results. Even simple probability/harm risk matrixes can produce different results due to ambiguous inputs or qualitative ratings being assigned to quantitatively smaller risks.
It is for this reason that ASHRM advocates an enterprise risk management model (also known as a holistic or integrated risk management model) in which a risk management team liaises with C-Suite Executives to communicate the risk management strategy, coordinate risk management activities, and oversee the controls put in place to prevent losses and optimize profitability.
Enterprise Risk Management in Healthcare Examples
The enterprise risk management model is particularly effective in healthcare because few activities impact just one domain. However, when multi-domain activities are being analyzed, it is important to have “subject matter experts” liaise with the risk management team in order to broaden the assessment of a potential risk and identify opportunities to create value for the organization.
Actual examples of effective enterprise risk management in healthcare do not appear in the public domain. However, ASHRM has produced a theoretical example of how risk assessing a change of process can result in the creation of value across all eight domains – in this case, changing the process of using a transporter to escort all discharged patients out of the hospital in a wheelchair.
The background to this risk assessment is that engaging a transporter to escort discharged patients out of the hospital in a wheelchair fulfils the organization’s duty of care for safe patient discharges. But what would be the risks and the value if this discharge process was used more selectively?
- Value in the operational domain is acquired by reducing the number of transporters and wheelchairs required for a room turnaround.
- Patients who can safely walk out of the hospital increase value in the clinical/patient safety domain by eliminating wait times (for a transporter) and vacating rooms quicker for the next admission.
- The strategic value lies in the fact that a discharge has been performed to the patient’s satisfaction, which can increase confidence in – and the reputation of – the organization.
- The improved patient throughput – even if by only 30 minutes per patient – can have a positive impact on profitability and other metrics in the financial domain.
- Reduced transportation requirements may facilitate the better use of resources in the human capital domain, or enable flexible schedules to increase employee satisfaction.
- Giving patients the choice of whether they would prefer to walk or be escorted increases the legal/regulatory perception that organizations are recognizing patient preferences and rights.
- If the discharge process becomes discretionary (for patients), existing technologies could be put to better use to support the discharge process and communication during the process.
- The hazard domain is both win and lose, as there is an increased risk of patients falling, but there is also the reduced risk of fewer wheelchairs being a trip hazard in cluttered hallways.
Why Risk Management is Important to Healthcare Facilities
Risk management is important to healthcare facilities because there are many areas of a healthcare organization’s activities in which vulnerabilities and opportunities may exist. Preventing the exploitation of vulnerabilities while exploiting potential opportunities is a challenging task which is best approached holistically to prevent inconsistencies in risk management strategies and ensure risks are analyzed and controlled according to the same risk culture/appetite.
However, building an enterprise risk management program from scratch, or transitioning from the traditional approach to an enterprise approach, is not without its own challenges. Possibly the biggest challenge is settling on a risk management strategy and risk culture/appetite that everyone can agree on. For example, a Chief Financial Officer or Chief Compliance Office will likely be more risk averse than a Chief Marketing Officer or Chief Business Development Officer.
Once this challenge is resolved, the next challenge is to justify the benefits of enterprise risk management to the Chief Officers who have had to compromise their risk appetites. This can be a difficult challenge to overcome initially due to the different levels of risk awareness in separate business units and because risk management teams will be under pressure to deliver positive outcomes, and this pressure could get in the way of preventing negative outcomes.
One way to overcome these issues is to implement customizable software for managing risks that can be configured by the risk management team with guided risk assessments and automated corrective action plans for each business unit. This solution resolves the issue of different levels of risk awareness, while delegating the responsibility for risk assessments to subject matter experts in each business unit – enabling the risk management team to focus on identifying positive outcomes.
Organizations that are interested in adopting an enterprise approach to risk management in healthcare should discuss their plans with a compliance expert with knowledge of customizable software for managing risks. While risk management is important to healthcare facilities, it is equally important that risk management activities are conducted effectively in order to prevent unmanaged risks resulting in harm, damage, or the loss of a value opportunity.
The post What is Risk Management in Healthcare? appeared first on HIPAA Journal.
The HIPAA Password Requirements – 2025 Update – The HIPAA Journal
The HIPAA Password Requirements - 2025 Update The HIPAA Journal
NIST and VerSprite: Bolstering Healthcare Cybersecurity through Updated Guidance – BNN Breaking
NIST updates HIPAA cybersecurity resource guide | AHA News – American Hospital Association
NIST updates HIPAA cybersecurity resource guide | AHA News American Hospital Association