The U.S. Department of Health and Human Services (HHS) Office for Civil Rights has released new Health Insurance Portability and Accountability Act (HIPAA) guidance on ransomware. The new guidance reinforces activities required by HIPAA that can help organizations prevent, detect, contain, and respond to threats.
The new guidance contains topics such as understanding ransomware and how it works; spotting the signs of ransomware; implementing security incident responses; mitigating the consequences of ransomware; and the importance of contingency planning and data backup.
The FBI has reported an increase in ransomware attacks and media have reported a number of ransomware attacks on hospitals, according to the HHS.
One of the biggest current threats to health information privacy is the serious compromise of the integrity and availability of data caused by malicious cyber-attacks on electronic health information systems, such as through ransomware.
The guidance makes clear that a ransomware attack usually results in a “breach” of healthcare information under the HIPAA Breach Notification Rule. Under the Rule, and as noted in the guidance, entities experiencing a breach of unsecure PHI must notify individuals whose information is involved in the breach, HHS, and, in some cases, the media, unless the entity can demonstrate (and document) that there is a “low probability” that the information was compromised.
Ransomware is a type of malware (malicious software) that encrypts data with a key known only to the hacker and makes the data inaccessible to authorized users. After the data is encrypted, the hacker demands that authorized users pay a ransom (usually in a cryptocurrency such as Bitcoin to maintain anonymity) in order to obtain a key to decrypt the data.
“Organizations need to take steps to safeguard their data from ransomware attacks,” said Jocelyn Samuels, Director, Office for Civil Rights. “HIPAA covered entities and business associates are required to develop and implement security incident procedures and response and reporting processes that are reasonable and appropriate to respond to malware and other security incidents,” she added.