Tuesday, July 19, 2016

OCR Releases Ransomware and HIPAA Guidance

Dianne De La Mare 

HHS, Office for Civil Rights (OCR), has released guidance to help Health Insurance Portability and Accountability Act (HIPAA) covered entities (including nursing care centers and some assisted living communities) understand and respond to the threat of ransomware and to meet their compliance obligations under the HIPAA regulations. The guidance reinforces activities required by HIPAA that can help organizations prevent, detect, contain, and respond to threats, including:
Conducting a risk analysis to identify threats and vulnerabilities to electronic protected health information (ePHI) and establishing a plan to mitigate or remediate those identified risks;
  • Implementing procedures to safeguard against malicious software; 
  • Training authorized users on detecting malicious software and report such detections; 
  • Limiting access to ePHI to only those persons or software programs requiring access; and 
  • Maintaining an overall contingency plan that includes disaster recovery, emergency operations, frequent data backups, and test restorations. 
Some of the other topics covered in the guidance include understanding ransomware and how it works; spotting the signs of ransomware; implementing security incident responses; mitigating the consequences of ransomware; and the importance of contingency planning and data backup. The guidance makes clear that a ransomware attack usually results in a “breach” of healthcare information under the HIPAA reach notification rule. Under the rule, and as noted in the guidance, entities experiencing a breach of unsecure PHI must notify individuals whose information is involved in the breach, HHS, and, in some cases, the media, unless the entity can demonstrate (and document) that there is a “low probability” that the information was compromised.

By way of background, ransomware is a type of malware (malicious software) that encrypts data with a key known only to the hacker and makes the data inaccessible to authorized users. After the data is encrypted, the hacker demands that authorized users pay a ransom (usually in a cryptocurrency such as Bitcoin to maintain anonymity) in order to obtain a key to decrypt the data. Ransomware frequently infects devices and systems through spam, phishing messages, websites, and email attachments and enters the computer when a user clicks on the malicious link or opens the attachment. Entities need to take steps to safeguard their data from ransomware attacks. HIPAA covered entities and business associates are required to develop and implement security incident procedures and response and reporting processes that are reasonable and appropriate to respond to malware and other security incidents.

No comments:

Post a Comment