New HIPAA Guidance on Ransomware Attacks and ePHI Security

BobGrant1By Bob Grant, Chief Strategy Officer, Compliancy Group
Twitter: @compliancygroup

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has released new guidance about how HIPAA-beholden entities can better equip themselves to deal with ransomware attacks.

Ransomware is a targeted kind of malware attack that takes data ‘hostage.’ The attackers responsible then give the organization a countdown to a time at which they expect to receive a ‘ransom’ in exchange for restored access to the withheld data.

A string of ransomware attacks struck hospitals across the US and Canada earlier in 2016. At the time, health care professionals were vocal about the need for formal guidance on the matter. This announcement from OCR Director, Jocelyn Samuels, is a step in the right direction for HIPAA-beholden entities looking to limit their exposure to data breaches and ransomware attacks.

OCR has not amended any of the HIPAA rules to formally accommodate malware protections. Instead, the guidance “reinforces activities required by HIPAA that can help organizations prevent, detect, contain, and respond to threats.” Samuels went on to list how health care entities can mitigate risk and effects of ransomware attacks by:

  • Conducting a risk analysis to identify threats and vulnerabilities to electronic protected health information (ePHI) and establishing a remediation plan to mitigate those identified risks
  • Implementing procedures to safeguard against malicious software
  • Training authorized users to detect malicious software and reporting such detections
  • Limiting access to ePHI to only those persons or software programs requiring access
  • Maintaining an overall contingency plan that includes disaster recovery, emergency operation, frequent data backups, and test restorations
  • Understanding ransomware, how it works, and knowing how to spot the signs
  • Implementing security incident responses and mitigating the consequences of ransomware

Because this new guidance is meant to build off the infrastructure of pre-existing HIPAA regulation, that means that simply implementing these few measures is not enough to keep organizations fully protected from ransomware.

Effective protection against ransomware necessarily requires a comprehensive, organization-wide compliance plan. Security plays an important role in limiting exposure to data breaches and ransomware attacks. The measures outlined by Samuels should be prioritized here. But without implementing a total compliance solution, organizations run the risk of a common data breach turning into a full OCR investigation with incumbent penalties and fines.

About the Author: Bob Grant is the Chief Strategy Officer of the Compliancy Group. The Compliancy Group offers a suite of products and solutions to help you meet HIPAA Compliance. Attend one of their upcoming free educational webinars or schedule a demo of the company’s all-in-one compliance product, The Guard. This article was originally published on the Compliancy Group blog and is republished here with permission.