For healthcare, cybersecurity threats are a growing risk to running a successful business. With cybersecurity and ransomware incidents making headlines day after day, healthcare providers need to have security and privacy measures in place to keep their data safe.
HIPAA regulation sets strict guidelines for standards that must be implemented in order to keep protected health information (PHI) secure. PHI is defined by HIPAA as any demographic information that can be used to identify a patient. Examples of PHI include names, dates of birth, Social Security numbers, financial information, insurance ID numbers, and medical records, to name a few. For a full list, visit the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) site here.
Healthcare cybersecurity incidents that have affected PHI are necessarily considered a HIPAA breach. HIPAA breaches affecting more than 500 individuals are considered Meaningful Breaches by the HIPAA Breach Notification Rule and must be reported to OCR for investigation. Often, these investigations will result in a HIPAA audit and related HIPAA fines if auditors deem that the breach was the result of “willful neglect.”
“Willful neglect” is determined by the effectiveness of a healthcare organization’s HIPAA compliance program as mandated by federal regulation. All healthcare providers who deal with PHI must address the full extent of HIPAA regulation. HIPAA fines range from $100-$50,000 per incident depending on the level of perceived neglect. That means that the less compliant your organization is, the more it will be fined in the event that you fail your HIPAA audit.
How do you prevent healthcare cybersecurity and healthcare ransomware incidents from becoming HIPAA breaches and fines?
What is Ransomware?
Ransomware is one of the most significant threats that healthcare professionals face in today’s market. In May of 2017, a string of ransomware attacks were perpetrated against healthcare organizations across the globe. Over 150 countries were affected by the strain of ransomware known as WannaCry. The resulting damage caused millions of dollars in operational issues and brought the UK national health system to a screeching halt for days.
Ransomware is a specific type of malware that spreads through fake Adobe updates or other malicious programs. Typically, these are caused by one or more improperly trained employees who download the program onto an organizational device without realizing the harm the program will cause. Once the ransomware has been downloaded, it begins to automatically encrypt all data stored on a given network or server. The hackers then threaten the healthcare organization with an ultimatum: pay a ransom, or face losing access to your data. The data can then be sold on the black market, exposing your patients to identity theft and financial crisis.
OCR has released specific guidance about how to respond in the event of a healthcare ransomware incident. Turning to law enforcement authorities should be your first step. If the scope of the incident is serious, OCR even suggests contacting the FBI. If the data affected by the ransomware was unencrypted, the incident will likely constitute a HIPAA breach, which must then be reported to the federal government for investigation.
But how can organizations like yours avoid this nightmarish web of ransomware and healthcare cybersecurity incidents in the first place?
Ransomware and HIPAA
OCR has stated that there are several important steps that healthcare providers can take to prevent ransomware incidents from becoming HIPAA breaches. At the end of the day, one of the most effective things a health care provider can do to protect their practice from ransomware incidents is implement an effective HIPAA compliance solution. HIPAA compliance mandates a series of national standards that are best practice for preventing cybersecurity incidents of all kind to protect sensitive health care data.
First, employee training on cybersecurity protocol must be given annually. Employee training is mandated by HIPAA, which does double the work to prevent HIPAA violations and ransomware incidents in the first place. HIPAA mandates that organizations must have policies and procedures in place, and by reflecting your organization’s training protocol in these policies, you can prove to federal investigators that you’ve put protections in place.
Full off-site back-up of health care data is also recommended by HIPAA and goes a long way toward mitigating the effects of a data breach or ransomware attack. If the data that’s been maliciously encrypted can be restored via secure off-site back-up, then your practice doesn’t risk losing access to important PHI and treatment information.
Additionally, full disc encryption is also recommended by HIPAA. If your data is encrypted and is then subjected to a ransomware incident, the hackers will not be able to access it. Paired with off-site back-up, HIPAA encryption is a strong defense against ransomware and related cybersecurity incidents plaguing health care.
HIPAA compliance satisfies the federal regulation, and saves you from healthcare cybersecurity incidents that can cripple your business and leave your patients financial wellbeing in jeopardy.