Our Products can help your organization stay educated and compliant. Shop Now >

Insights

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights Released New HIPPA Guidance on Ransomware Attacks

Posted on Thursday, July 14, 2016 6:35 PM

The U.S. Department of HHS Office for Civil Rights released new HIPAA guidance, preparing health care organizations on how to prevent, detect, contain and respond to ransomware threats. In addition, the guidance provides information on how ransomware works and how to detect its signs.

“One of the biggest current threats to health information privacy is the serious compromise of the integrity and availability of data caused by malicious cyber-attacks on electronic health information systems, such as through ransomware,” Jocelyn Samuels, Director, Office for Civil Rights, wrote in a blog post announcing the new guidance.

“Organizations need to take steps to safeguard their data from ransomware attacks. HIPAA covered entities and business associates are required to develop and implement security incident procedures and response and reporting processes that are reasonable and appropriate to respond to malware and other security incidents.”

The following activities are required by HIPAA, Samuels said, that can help prevent and respond to ransomware:
• Conducting a risk analysis to identify threats and vulnerabilities to electronic protected health information (ePHI) and establishing a plan to mitigate or remediate those identified risks
• Implementing procedures to safeguard against malicious software
• Training authorized users on detecting malicious software and report such detections
• Limiting access to ePHI to only those persons or software programs requiring access
• Maintaining a contingency plan that includes disaster recovery, emergency operations, frequent data backups, and test restorations

“The guidance makes clear that a ransomware attack usually results in a ‘breach’ of healthcare information under the HIPAA Breach Notification Rule. Under the Rule, and as noted in the guidance, entities experiencing a breach of unsecure PHI must notify individuals whose information is involved in the breach, HHS and, in some cases, the media, unless the entity can demonstrate (and document) that there is a ‘low probability’ that the information was compromised,” Samuels said.

Click here for more information on the HIPAA guidance.

For the full article, click here.

Go Back