With ransomware attacks a continuing threat to hospitals and health systems, the Office for Civil Rights is warning that, in addition to all the other headaches, such incidents could be considered a data breach under HIPAA.
Ransomware attacks have been recognized by the FBI as a serious threat, and some experts predict there will be more after the February incident in which Hollywood Presbyterian Medical Center in Los Angeles paid $17,000 to hackers who took over its systems. Since then, four hospitals in California, Kentucky, and Maryland have been hit.
Responding to the threat, the Office for Civil Rights at the Department of Health and Human Services (HHS) has released new HIPAA guidance on ransomware. The new guidance points out that a ransomware attack probably means there has been a protected health information (PHI) data breach under HIPAA and says, “The presence of ransomware (or any malware) on a covered entity’s or business associate’s computer systems is a security incident under the HIPAA Security Rule. A security incident is defined as the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.”
That type of incident would trigger the notification requirements. Entities experiencing a breach of unsecure PHI must notify individuals whose information is involved in the breach, HHS says, and, in some cases, the media, unless the entity can demonstrate and document that there is a “low probability” that the information was compromised.
The guidance suggests conducting a risk analysis to identify threats and vulnerabilities to PHI and establishing a plan to mitigate or remediate those identified risks. In addition, the guidance advises taking these steps:
- Implement procedures to safeguard against malicious software.
- Train authorized users on detecting malicious software, and report such detections.
- Limit access to PHI to only those persons or software programs requiring access.
- Maintain an overall contingency plan that includes disaster recovery, emergency operations, frequent data backups, and test restorations.
The guidance is available online at http://bit.ly/29zm57B.