In 2015, Ransomware cost the US Healthcare industry nearly 6 billion dollars. Even more concerning is that there has been a 300% increase in ransomware attacks in 2016, according to a recent report from the U.S. Government.
Ransomware is a type of malicious software that encrypts data making it inaccessible to authorized users. After the data is encrypted, the hacker demands a ransom, which is typically in Bitcoin to maintain anonymity. Ransomware is most often deployed using tactics such as spam, phishing messages, websites, and email attachments that infect a computer system once the user clicks on the link or opens the attachment.
Ransomware has been around since the early 80’s, however, only recently have cyber-criminals been using it to wage war against the healthcare industry. Hospitals are most vulnerable because their systems contain crucial information required to care for the sick. Without this data, operations can be drastically impacted, and lives can be at stake. This makes it more likely that a hospital will pay the ransom in order to resume operations, allowing thieves to collect their payday.
HIPAA now requires all covered entities and business associates to provide appropriate security training on malicious software. Entities and business associates must also develop and implement security incident reporting and response procedures in the event of an attack. In order to assist healthcare organizations in better understanding and responding to the threat of ransomware, the HHS Office for Civil Rights has released new HIPAA guidance requirements and security measures which include the following:
An entity’s security response activities should begin with the following:
These first steps should help in prioritizing the appropriate response and serve as a foundation for a more in-depth analysis of the incident and its impact. Security incident procedures for responding to and reporting security incidents are also required by HIPAA and should include:
According to HIPAA, when electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, it is considered to be a breach. Unless the entity can demonstrate there is a “…low probability that the PHI has been compromised.”
Once the breach has occurred, the entity must provide notification to the affected individuals without unreasonable delay, to the Secretary of HHS, and to the media (for breaches affecting over 500 individuals) in accordance with HIPAA breach notification requirements.
To demonstrate that there is a low probability that the protected health information (PHI) has been compromised because of a breach, a risk assessment considering at least the following four factors must be conducted:
The risk assessment to determine whether there is a low probability of compromise of the PHI must be thorough, completed in good faith and reach conclusions that are reasonable given the circumstances. Furthermore, covered entities and business associates must maintain supporting documentation sufficient to meet their burden of proof regarding including:
The following information can be found in its entirety at www.hhs.gov. It is the responsibility of entity’s to know and fully understand HIPAA requirements. For any questions regarding HIPAA or training for employees, contact MedSafe at 1-888-MEDSAFE. www.medsafe.com