On July 11th of this year, the HHS Office for Civil Rights (OCR) released new Health Insurance Portability and Accountability Act (HIPAA) guidance on Ransomware. The new guidance outlines procedures and policies required by HIPAA that organizations should implement to prevent, detect, contain, and respond to threats, posed by “Ransomware.”
Ransomware is malicious software that hackers use to encrypt data on a company’s computer system making the data inaccessible with a de-encryption key—known only to the hacker. Once the data is encrypted, the hacker demands that the company pay a “ransom” in order to obtain a key to decrypt the data. Often the ransom is demanded in cryptocurrency, such as Bitcoin, to shield the identity of the hackers. Ransomware often infects devices and systems through spam, phishing messages, websites, and email attachments and enters the computer when a user clicks on the malicious link or opens the attachment.
OCR cites a recent U.S. Government report that indicates there has been an average of 4,000 daily Ransomware attacks since early 2016. Covered entities, business associates, and subcontractors are required by the HIPAA Security Rule to implement security measures aimed at preventing intrusion by Ransomware. Some of these required measures include implementing:
- Security management process, which includes conducting a risk analysis to identify threats and vulnerabilities to Electronic Protected Health Information (ePHI) and implementing security measures to mitigate or remediate those identified risks
- Procedures to guard against and detect malicious software, including training computer users on malicious software protection so they can assist in detecting malicious software and know how to report such detections
- Access controls to limit access to ePHI to only those persons or software programs requiring access
If Ransomware is detected, its presence constitutes a security incident under the HIPAA Security Rule and must be addressed by the covered entity. A security incident is defined as the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. An analysis of a Ransomware attack must also involve an analysis of whether an impermissible disclosure of PHI has occurred and to what extent. If an impermissible disclosure of PHI has occurred, appropriate breach reporting to affected individuals and OCR will become necessary.
Covered entities, business associates, and subcontractors need to take steps to safeguard their data from Ransomware attacks, and must develop and implement security incident procedures and response and reporting processes that are reasonable and appropriate to respond to the presence of Ransomware. Appropriate measures include:
- Conducting a risk analysis to identify threats and vulnerabilities to ePHI and establishing a plan to mitigate or remediate those identified risks
- Implementing procedures to safeguard against Ransomware
- Training authorized users on detecting Ransomware and reporting such detections
- Limiting access to ePHI to only those persons or software programs requiring access
- Maintaining an overall contingency plan that includes disaster recovery, emergency operations, frequent data backups, and test restorations
Frier Levitt assists covered entities, business associates, and subcontractors in developing and implementing policies and procedures to address all aspects of HIPAA compliance, including the handling of Ransomware. We work with a broad array of entities requiring assistance with HIPAA compliance, ranging from physician practices to pharmacies to accounting and law firms. Contact us today to speak to an attorney.
