With ransomware attacks a continuing threat to healthcare providers, the Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) is warning that, in addition to all the other headaches, such incidents could be considered a data breach under HIPAA.
Responding to the threat of ransomware attacks, the OCR has released HIPAA guidance on ransomware. The new guidance points out that a ransomware attack probably means there has been a protected health information (PHI) data breach under HIPAA.
“The presence of ransomware (or any malware) on a covered entity’s or business associate’s computer systems [sic] is a security incident under the HIPAA Security Rule,” the guidance says. “A security incident is defined as the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.”
That type of incident would trigger the notification requirements. Organizations experiencing a breach of unsecured PHI must notify individuals whose information is involved in the breach and, in some cases, the media, unless the entity can demonstrate and document that there is a “low probability” that the information was compromised, HHS says.
The guidance suggests conducting a risk analysis to identify threats and vulnerabilities to PHI and establishing a plan to mitigate or remediate those identified risks. In addition, the guidance advises taking these steps:
- Implement procedures to safeguard against malicious software.
- Train authorized users on detecting malicious software, and report such detections.
- Limit access to PHI to only those persons or software programs requiring access.
- Maintain an overall contingency plan that includes disaster recovery, emergency operations, frequent data backups, and test restorations. The guidance is available to readers online at http://bit.ly/29zm57B.
According to just-released guidance from The Doctors Company, the nation’s largest physician-owned medical malpractice insurer, “[s]mall practices without sophisticated systems or firewalls may have to hire a forensic computer firm to demonstrate that a breach did not occur.”1
For a summary of the HIPAA Privacy Rule, readers can go online to http://bit.ly/1ZnuVnN.
- The Doctors Company. Cybersecurity and data breaches. Strategies to mitigate risk, monitor security, and respond in the event of a cyberattack. August 2016. Accessed at http://bit.ly/2bSCiCk.