New HIPAA Guidance on Ransomware Attacks and ePHI Security

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has released new guidance about how HIPAA-beholden entities can better equip themselves to deal with ransomware attacks.

Ransomware is a targeted kind of malware attack that takes data ‘hostage.’ The attackers responsible then give the organization a countdown to a time at which they expect to receive a ‘ransom’ in exchange for restored access to the withheld data.

A string of ransomware attacks struck hospitals across the US and Canada earlier in 2016. At the time, health care professionals were vocal about the need for formal guidance on the matter. This announcement from OCR Director, Jocelyn Samuels, is a step in the right direction for HIPAA-beholden entities looking to limit their exposure to data breaches and ransomware attacks.

OCR has not amended any of the HIPAA rules to formally accommodate malware protections. Instead, the guidance “reinforces activities required by HIPAA that can help organizations prevent, detect, contain, and respond to threats.” Samuels went on to list how health care entities can mitigate risk and effects of ransomware attacks by:

  • Conducting a risk analysis to identify threats and vulnerabilities to electronic protected health information (ePHI) and establishing a remediation plan to mitigate those identified risks
  • Implementing procedures to safeguard against malicious software
  • Training authorized users to detect malicious software and reporting such detections
  • Limiting access to ePHI to only those persons or software programs requiring access
  • Maintaining an overall contingency plan that includes disaster recovery, emergency operation, frequent data backups, and test restorations
  • Understanding ransomware, how it works, and knowing how to spot the signs
  • Implementing security incident responses and mitigating the consequences of ransomware

Because this new guidance is meant to build off the infrastructure of pre-existing HIPAA regulation, that means that simply implementing these few measures is not enough to keep organizations fully protected from ransomware.

Effective protection against ransomware necessarily requires a comprehensive, organization-wide compliance plan. Security plays an important role in limiting exposure to data breaches and ransomware attacks. The measures outlined by Samuels should be prioritized here. But without implementing a total compliance solution, organizations run the risk of a common data breach turning into a full OCR investigation with incumbent penalties and fines.

2016-07-22T17:07:25+00:00 July 22nd, 2016|