By Bob Grant, Chief Strategy Officer, Compliancy Group
Twitter: @compliancygroup
In the past 90 days, there have been five separate instances of hospitals in the US and Canada being hit by ransomware attacks. The most recent of these instances affected MedStar Health, which is the largest health care provider throughout the Maryland and Washington, D.C. area. Hollywood Presbyterian Hospital was also recently hit, ending in a $17,000 ransom, with attacks to Methodist Hospital in Kentucky, The Ottowa Hospital, Chino Valley Medical Center, and Desert Valley Hospital having occurred as well.
[tweet_box design=”default” float=”none”]Industry needs unified guidance on how to protect #PHI, prevent #HIPAA breaches from malicious #cyberattacks[/tweet_box]
Ransomware is a kind of malware that infects computer systems and begins encrypting data, blocking access to encrypted files without the proper key. That data is held ransom until the victims issue a payment to the hackers, who then supply a key to decrypt the data. In most cases, there’s no guarantee that paying the ransom will prompt the hackers to give victims the key, nor is there any definitive way to be sure that the encrypted data wasn’t accessed, copied, or distributed while it was being held by the hackers.
With FBI security experts recommending that victims pay the ransom and American and Canadian government officials saying otherwise, it’s safe to say that we need unified guidance on how to protect PHI and prevent breaches in this string of new and malicious cyber-attacks.
Until we receive guidance from OCR, we need to treat ransomware as a serious threat to the integrity and security of protected health information. HIPAA regulation currently doesn’t distinguish ransomware attacks form other kinds of cyber-attacks.
OCR guidance outlined in the HIPAA Breach Notification Rule qualifies a data breach as “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of [PHI].” Additionally, organizations that have been hit by a ransomware attack must be able to prove that ransomed PHI was “actually acquired or viewed” before OCR can get involved. In cases where access history is ambiguous or unattainable, victims find themselves in a regulatory limbo.
Even if a ransomware attack is not considered a breach, the bottom line is that security needs to be taken seriously if hospitals and health care professionals stand any chance at avoiding this mounting threat to health care data and PHI.
About the Author: Bob Grant is the Chief Strategy Officer of the Compliancy Group. The Compliancy Group offers a suite of products and solutions to help you meet HIPAA Compliance. Attend one of their upcoming free educational webinars or schedule a demo of the company’s all-in-one compliance product, The Guard. This article was originally published on the Compliancy Group blog and is republished here with permission.