The trusted source for
healthcare information and
With ransomware attacks a continuing threat to healthcare providers, the Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) is warning that, in addition to all the other headaches, such incidents could be considered a data breach under HIPAA.
Responding to the threat of ransomware attacks, the OCR has released HIPAA guidance on ransomware. The new guidance points out that a ransomware attack probably means there has been a protected health information (PHI) data breach under HIPAA.
“The presence of ransomware (or any malware) on a covered entity’s or business associate’s computer systems [sic] is a security incident under the HIPAA Security Rule,” the guidance says. “A security incident is defined as the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.”
That type of incident would trigger the notification requirements. Organizations experiencing a breach of unsecured PHI must notify individuals whose information is involved in the breach and, in some cases, the media, unless the entity can demonstrate and document that there is a “low probability” that the information was compromised, HHS says.
The guidance suggests conducting a risk analysis to identify threats and vulnerabilities to PHI and establishing a plan to mitigate or remediate those identified risks. In addition, the guidance advises taking these steps:
According to just-released guidance from The Doctors Company, the nation’s largest physician-owned medical malpractice insurer, “[s]mall practices without sophisticated systems or firewalls may have to hire a forensic computer firm to demonstrate that a breach did not occur.”1
For a summary of the HIPAA Privacy Rule, readers can go online to http://bit.ly/1ZnuVnN.
Executive Editor Joy Dickinson, Nurse Planner Kay Ball, Physician Reviewer Steven A. Gunderson, DO, and Consulting Editor Mark Mayo report no consultant, stockholder, speaker’s bureau, research, or other financial relationships with companies having ties to this field of study. Stephen W. Earnhart discloses that he is a stockholder and on the board for One Medical Passport.