Ransomware: The Latest Trend in Healthcare Cyber-Attacks
Posted on Thursday, August 18, 2016 6:42 PM
In the first half of 2016, California and Maryland hospitals and health systems were the first states to experience ransomware attacks. The debate has ended on whether or not this type of attack constitutes a legally reportable data breach under HIPAA.
“Unless the covered entity or business associate can demonstrate that there is a ‘…low probability that the PHI has been compromised,’ based on the factors set forth in the Breach Notification Rule, a breach of PHI is presumed to have occurred,” HHS stated in its recently issued guidance.
To determine this low possibility, a HIPAA covered entity or business associate must perform an incident risk assessment using at least these four factors:
• The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification
• The unauthorized person who used the protected health information or to whom the disclosure was made
• Whether the protected health information was actually acquired or viewed
• The extent to which the risk to the protected health information has been mitigated
HHS recommended that “a thorough and accurate evaluation of the evidence acquired and analyzed as a result of security incident response activities could help entities with the risk assessment process.” The agency explained that other factors “may indicate compromise,” such as a high risk of data unavailability or high risk to the data’s integrity.
Whether or not ransomware should be a reportable breach under HIPAA, you must prepare an incident risk assessment in case your organization is the victim of an attack.
For the full article, click here.Go Back