Implementing Cybersecurity Measures: Lessons from the HHS OCR Settlement

by Angela Fitzpatrick 

The U.S. Department of Health and Human Services' Office for Civil Rights (OCR) recently settled with Montefiore Medical Center, a non-profit hospital system in New York City, for several potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. This incident underscores the importance of robust cybersecurity measures in healthcare organizations and provides valuable lessons for similar institutions. 

Understanding the Incident 

An internal employee at Montefiore Medical Center stole and sold patients' protected health information over a period of six months. This led to a $4.75 million settlement and corrective action to resolve multiple potential failures relating to data security. 

Mitigating the Incident  

The healthcare sector is increasingly targeted by cyber criminals and thieves, as highlighted by OCR Director Melanie Fontes Rainer. Cyber-attacks do not discriminate based on organization size or stature, making it crucial for healthcare systems to diligently protect patient records. While it’s easy to focus on external threat actors, it’s critical to understand the importance of insider threats. The industry has put an appropriate focus historically on unintentional security and privacy incidents caused by internal actors such as system loss, unintentional uses, and disclosures, etc. However, with the value of medical records on the black market ranging from $250 to $1,000 per record, we should not ignore the possibility of threat actors gaining a foothold with internal organizational staff.  

Implementing Robust Cybersecurity Measures 

Following the settlement, Montefiore Medical Center will need to implement a corrective action plan that includes several steps towards securing protected health information. These steps serve as excellent guidelines for other healthcare organizations: 

  1. Risk Assessment: Conduct an accurate and thorough assessment of potential security risks and vulnerabilities. 
  2. Risk Management Plan: Develop a written plan to address and mitigate identified security risks. 
  3. Monitoring Systems: Implement mechanisms that record and examine activity in all information systems that use or contain protected health information. 
  4. Compliance with HIPAA Rules: Review and revise written policies and procedures to comply with the HIPAA Privacy and Security Rules. 
  5. Workforce Training: Provide training to the workforce on HIPAA policies and procedures. 
Further Recommendations from OCR 

The OCR further recommends that healthcare providers, health plans, clearinghouses, and business associates implement safeguards such as vendor review, risk analysis integration into business processes, regular system activity reviews, multi-factor authentication, encryption of protected health information, and regular training. 

Meditology to the Rescue 

In light of the recent OCR settlement, it's critical to address the often-overlooked dimension of insider threats within our healthcare systems. Given the sensitive nature of the data involved, Meditology’s Security Risk Assessment (SRA) takes a proactive stance by invoking the comprehensive MITRE ATT&CK Framework to create nuanced threat models that encompass both malicious and unintentional insider actions. 

Our methodologies for mitigating these risks include both protective and detective controls such as Data Loss Prevention (DLP) solutions, analytics, and system activity monitoring, along with workforce education and rigorous training programs. When weaknesses are identified, we offer bespoke recommendations and assist in the development of a tailored remediation roadmap. 

Our approach recognizes the multifaceted role of individual controls in counteracting diverse threats. We deliver a risk register that delineates the correlation between specific controls and the potential threats they mitigate, providing a holistic view of your security positing against insider risks. Our delivery includes an intuitive dashboard, allowing stakeholders to gauge control effectiveness and focus on augmenting security where it truly matters. 

Moreover, Meditology's specialized reporting zeroes in on key areas deemed critical by organizational leadership, sharpening the lens on insider threat profiles among other salient vulnerabilities. Our alignment with the latest guidance, including HICP and HPH CPGs, ensures that your organization is surpassing baseline cybersecurity standards. We infuse our strategy with NIST CsF best practices tailored to the healthcare industry, reinforcing your defenses against external and also internal breaches, thus safeguarding the very heart of patient privacy and trust. 

Concluding Thoughts 

The Montefiore Medical Center incident serves as a critical reminder of the importance of robust cybersecurity measures in the healthcare sector. By taking these steps, healthcare organizations can better protect their patients and themselves from potential cyber threats. 


HHS’ Office for Civil Rights Settles Malicious Insider Cybersecurity Investigation for $4.75 Million 

About the Author 


Angela is an experienced Vice President of Delivery Operations who leads the firm’s IT Risk Management services practice. For more than a decade, Angela has managed critical technology, security, and privacy initiatives in a variety of healthcare settings. Angela’s strong track record includes experience developing complete security programs, leading security breach response efforts, and building audit functions. In addition to her security expertise, Angela has on-premises experience as a healthcare clinician and biomedical program manager, providing valuable insight into the operational workings of the healthcare industry. 

Most Recent Posts
A Cybersecurity Professional's Guide to HIPAA-Compliant Online Tracking Read More
SOC 2 + HIPAA Examination Read More
Rise of Responsible AI Read More