OCR releases ransomware and HIPAA guidance

Posted: Aug 18, 2016
Share This:

ransomwareHealthcare organizations have generally been slow at implementing appropriate cybersecurity safeguards, positioning the industry as a magnet to cybercriminals. In fact, a recent poll highlights that the majority of U.S. hospitals have fallen victim to at least one ransomware attack in the past twelve months.

In recognition of this vulnerability, the Health and Human Services’ (HHS) Office for Civil Rights (OCR) has published a set of HIPAA guidelines to help organizations better understand and respond to the threats of ransomware. Jocelyn Samuels, Director of OCR, said: “One of the biggest current threats to health information privacy is the serious compromise of the integrity and availability of data caused by malicious cyber-attacks on electronic health information systems, such as through ransomware”.

The guidelines come following a letter that the Secretary of HHS sent to Chief Executive Officers of healthcare organizations, outlining the vital role of security best practices, in light of cyberthreats.

The guidance provides a comprehensive introduction into ransomware, how to spot it, and how it works. It places emphasis on the fact that a ransomware attack will typically result in a “breach” of healthcare information under the HIPAA Breach Notification Rule, triggering the requirement of notification to affected individuals, OCR, and sometimes also the media.

The guidelines outline the following set of activities which healthcare organizations are required to put into action in order to help prevent, detect, and respond to ransomware threats:

  • Conduct a risk analysis to identify threats and vulnerabilities to electronic protected health information (ePHI);
  • Establish a plan to mitigate or remediate those identified threats and vulnerabilities;
    Implement policies and procedures to safeguard against malicious software;
  • Train staff on how to detect and report cyber threats;
  • Limit ePHI access only to those who require it to perform their jobs; and
  • Maintain business strategy and continuity plans that include frequent data backups, disaster recovery, and emergency operation handling.

The guidance should serve as a stark reminder that HIPAA covered entities and business associates are responsible for the development and implementation of security incident procedures and processes to respond to and report malware threats. In order to meet these requirements,organizations must ensure they are taking actionable steps to safeguard their data at all times.