Ransomware threatens the basic tenets of the HIPAA Security Rule ..integrity, availability, and confidentiality of data.
The HIPAA Security Rule 164.306(a) states, covered entities must:
(1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits.
(2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
(3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part.
(4) Ensure compliance with this subpart by its workforce.
What is ransomware?
Ransomware is malicious software that is used to lock (encrypt) files on your computer system and shared network drives. Attackers then ask for a ransom payment in exchange for the key to recover the locked files. In many cases, they never send the key, or an invalid key is provided, and the files are never recovered.
HHS issues guidance on ransomware and HIPAA.
Multiple sources estimate that ransomware attacks have increased 300% since 2015. Due to this steady climb from an estimated 1000 attacks per day in 2015, to 4000 attacks per day during the first half of 2016, the U. S. Department of Health and Human Services (HHS) has issued guidance for covered entities and business associates in regard to ransomware.
Maintaining HIPAA compliance ..would you have to report the ransomware incident to HHS?
If ransomware has adversely affected unsecured ePHI (electronic protected health information) in your environment, provisions in the HIPAA Breach Notification Rule may require you to report the incident to affected individuals, the Secretary of HHS, and the media.
If you become a victim of a ransomware attack
– Initiate your security incident response and Breach Notification procedures
– Do not pay the ransom
– Report the incident to your local FBI field office
– Report the incident to affected individuals, agencies, and the media, as appropriate
Reduce your risk to becoming a victim
– Provide security awareness and training for staff on how to identify and report suspicious activity
– Implement data encryption on all ePHI (at rest and in motion)
– Perform regular full data encrypted backups, and periodically ensure ability to successfully restore data from backup