A string of ransomware attacks struck hospitals across the US and Canada earlier in 2016. At the time, healthcare professionals were vocal about the need for formal guidance on the matter. This announcement from OCR Director, Jocelyn Samuels, is a step in the right direction for HIPAA-beholden entities looking to limit their exposure to data breaches and ransomware attacks.
OCR has not amended any of the HIPAA rules to formally accommodate malware protections. Instead, the guidance “reinforces activities required by HIPAA that can help organizations prevent, detect, contain, and respond to threats.” Samuels went on to list how healthcare entities can mitigate risk and effects of ransomware attacks by:
- Conducting a risk analysis to identify threats and vulnerabilities to electronic protected health information (ePHI) and establishing a remediation plan to mitigate those identified risks
- Implementing procedures to safeguard against malicious software
- Training authorized users to detect malicious software and reporting such detections
- Limiting access to ePHI to only those persons or software programs requiring access
- Maintaining an overall contingency plan that includes disaster recovery, emergency operation, frequent data backups, and test restorations
- Understanding ransomware, how it works, and knowing how to spot the signs
- Implementing security incident responses and mitigating the consequences of ransomware
Because this new guidance is meant to build off the infrastructure of pre-existing HIPAA regulation, that means that simply implementing these few measures is not enough to keep organizations fully protected from ransomware.
Effective protection against ransomware necessarily requires a comprehensive, organization-wide compliance plan. Security plays an important role in limiting exposure to data breaches and ransomware attacks. The measures outlined by Samuels should be prioritized here. But without implementing a total compliance solution, organizations run the risk of a common data breach turning into a full OCR investigation with incumbent penalties and fines.