The U.S. Department of Health and Human Services (HHS) Office for Civil Rights recently released new Health Insurance Portability and Accountability Act (HIPAA) guidance on ransomware.
According to an announcement on HHS’s website, this new guidance is meant to combat the increased number of ransomware attacks on hospitals. Ransomware refers to malicious software that encrypts data, which can only be rendered accessible with a key possessed by the hacker. Hackers then demand a sum of money, or ransom, in exchange for the key. Ransomware enters a system through unsafe email attachments or links to unsafe websites.
The new guidance reinforces activities that are already required by HIPAA, and is designed to help organizations prevent, detect, and respond to such attacks. The guidance mandates that organizations conduct risk analysis to identify threats to electronic protected health information (ePHI). Organizations will also have to apply procedures to safeguard against malicious software, train authorized users on how to detect and report software attacks, and limit ePHI access to persons requiring access.
Two other topics the guidance addresses are mitigating the consequences of ransomware attacks and backing up data.
“The guidance makes clear that a ransomware attack usually results in a ‘breach’ of health care information under the HIPAA Breach Notification Rule,” said Jocelyn Samuels, Director of the Office for Civil Rights and author of the HHS website post. “Under the rule, and as noted in the guidance, entities experiencing a breach of unsecure PHI must notify individuals whose information is involved in the breach.”
Ransomware attacks are a threat to many Federal agencies. According to the Ransomware and HIPAA FACT sheet, agencies have suffered 4,000 ransomware attacks since early 2016, a 300 percent increase from the number of such attacks in 2015. HHS’s guidance attempts to educate Federal agencies about their responsibilities in fending off malicious software.
“HIPAA-covered entities and business associates are required to develop and implement security incident procedures and response and reporting processes that are reasonable and appropriate to respond to malware and other security incidents,” Samuels said in the report.