HHS Office for Civil Rights Releases HIPAA Guidance on Ransomware
July 14, 2016 12:29 PM
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights has released new Health Insurance Portability and Accountability Act (HIPAA) guidance to help health care entities better understand and respond to the threat of ransomware. Health care and other organizations face an increasing threat of ransomware attacks, in which criminals encrypt or block access to important files and demand a ransom to release them. This new guidance includes steps currently required by HIPAA that can help prevent, detect, contain and respond to ransomware threats. In addition, the guidance provides information about ransomware to help health care entities understand how it works and how to spot its signs.
“One of the biggest current threats to health information privacy is the serious compromise of the integrity and availability of data caused by malicious cyber-attacks on electronic health information systems, such as through ransomware,” Jocelyn Samuels, Director, Office for Civil Rights, wrote in a blog post announcing the new guidance. “Organizations need to take steps to safeguard their data from ransomware attacks. HIPAA covered entities and business associates are required to develop and implement security incident procedures and response and reporting processes that are reasonable and appropriate to respond to malware and other security incidents.”
Following are activities required by HIPAA, Samuels said, that can help prevent and respond to ransomware:
Conducting a risk analysis to identify threats and vulnerabilities to electronic protected health information (ePHI) and establishing a plan to mitigate or remediate those identified risks;
Implementing procedures to safeguard against malicious software;
Training authorized users on detecting malicious software and report such detections;
Limiting access to ePHI to only those persons or software programs requiring access; and
Maintaining an overall contingency plan that includes disaster recovery, emergency operations, frequent data backups, and test restorations.
“The guidance makes clear that a ransomware attack usually results in a ‘breach’ of healthcare information under the HIPAA Breach Notification Rule. Under the Rule, and as noted in the guidance, entities experiencing a breach of unsecure PHI must notify individuals whose information is involved in the breach, HHS and, in some cases, the media, unless the entity can demonstrate (and document) that there is a ‘low probability’ that the information was compromised,” Samuels said.
The HIPAA guidance is available here: http://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf.
In addition, HHS previously released broader guidance on ransomware (see previous NAHC Report article here), as did the Federal Bureau of Investigations (see previous NAHC Report article here).