The trusted source for
healthcare information and
With ransomware attacks a continuing threat to hospitals and health systems, the Office for Civil Rights is warning that, in addition to all the other headaches, such incidents could be considered a data breach under HIPAA.
Ransomware attacks have been recognized by the FBI as a serious threat, and some experts predict there will be more after the February incident in which Hollywood Presbyterian Medical Center in Los Angeles paid $17,000 to hackers who took over its systems. Since then, four hospitals in California, Kentucky, and Maryland have been hit.
The Office for Civil Rights at the Department of Health and Human Services (HHS) has released new HIPAA guidance on ransomware. The new guidance points out that a ransomware attack probably means there has been a protected health information (PHI) data breach under HIPAA and says, “The presence of ransomware (or any malware) on a covered entity’s or business associate’s computer systems is a security incident under the HIPAA Security Rule. A security incident is defined as the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.”
That type of incident would trigger the notification requirements. Entities experiencing a breach of unsecured PHI must notify individuals whose information is involved in the breach, HHS says, and, in some cases, the media, unless the entity can demonstrate and document that there is a “low probability” that the information was compromised.
The guidance suggests conducting a risk analysis to identify threats and vulnerabilities to PHI and establishing a plan to mitigate or remediate those identified risks. In addition, the guidance advises taking these steps:
The guidance is available online at http://bit.ly/29zm57B.
Author Greg Freeman, Executive Editor Joy Daughtery Dickinson, and Nurse Planner Maureen Archambault report no consultant, stockholder, speaker’s bureau, research, or other financial relationships with companies having ties to this field of study. Arnold Mackles, MD, MBA, LHRM, physician reviewer, discloses that he is an author and advisory board member for The Sullivan Group and that he is owner, stockholder, presenter, author, and consultant for Innovative Healthcare Compliance Group.