All Data Fast News is © Data Fast Solutions, unless where otherwise indicated • All Rights Reserved
HIPAA breaches are not something that a healthcare organization wants, or expects, to occur and one of the top culprits continuing, and showing no signs of diminishing, is ransomware. Per the Ransomware and HIPAA Fact Sheet, published by Health and Human Services, on average, there have been 4,000 daily ransomware attacks since early 2016. These attacks were across all industries and affected individuals as well. Estimates show that in 2016, ransomware resulted in costs of over a billion dollars making it one of the most lucrative malicious acts carried out by criminals. Over a year later, well into 2017, ransomware attacks are still a serious problem.
As many in healthcare now know, ransomware is malware, a type of malicious software, used to attempt to high-jack a computer system in exchange for payment. As these attacks have risen, many healthcare organizations are unsure of whether they should be held liable for hackers’ unscrupulous access of HIPAA protected data. In answer to this, and other questions, Health and Human Services (HHS) put together the Ransomware and HIPAA Fact Sheet to help healthcare professionals take proactive steps to ensure their businesses are not easily attacked and what to do should an attack occur. Becoming familiar with the fact sheet is imperative to prevention and recognizing a ransomware related HIPAA breach.
The fact sheet states:
“Whether or not the presence of ransomware would be a breach under the HIPAA Rules is a fact-specific determination. A breach under the HIPAA Rules is defined as, ‘…the acquisition, access, use, or disclosure of PHI in a manner not permitted under the [HIPAA Privacy Rule] which compromises the security or privacy of the PHI.’ See 45 C.F.R. 164.402.
When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a ‘disclosure’ not permitted under the HIPAA Privacy Rule.
Unless the covered entity or business associate can demonstrate that there is a ‘…low probability that the PHI has been compromised,’ based on the factors set forth in the Breach Notification Rule, a breach of PHI is presumed to have occurred. The entity must then comply with the applicable breach notification provisions, including notification to affected individuals without unreasonable delay, to the Secretary of HHS, and to the media (for breaches affecting over 500 individuals) in accordance with HIPAA breach notification requirements. See 45 C.F.R. 164.400-414.”
The Ransomware and HIPAA Fact Sheet also provides preventative security measure recommendations based on the HIPAA Security Rule. These include putting together a security management process, creating procedures to protect against malicious activity, providing user training on software protection so the user can help report any suspicious activity, and implementation of controls for accessing ePHI. It also discusses the importance of a thorough risk analysis.
As with most malicious software activity, and with ransomware in particular, one of the best ways to thwart an attack is to be educated on the risks. The ransomware and HIPAA Fact Sheet is a great tool for becoming more familiar with ransomware and its implications. Utilizing a HIPAA certified I.T. company in conjunction with the information provided by HHS can help lessen a healthcare organization’s ransomware risk significantly. Data Fast Solutions is HIPAA I.T. certified and can ensure that your ePHI is safely protected from ransomware and other malicious software.
This article is ©2017 Data Fast Solutions • All Rights Reserved