Dispelling a common notion, the agency says HIPAA breach disclosure rules usually apply to ransomware.
Since ransomware attacks healthcare organizations do not necessarily result in data being exfiltrated from the breached systems, it has been assumed by some that the usual Health Insurance Portability and Accountability Act breach notification rules do not apply.
New guidance appears to dispel such notions.
The HHS Office for Civil Rights this week released new HIPAA guidance on ransomware.
It clarifies that a ransomware attack usually results in a breach of healthcare information under the HIPAA Breach Notification Rule.
Healthcare organizations and other covered entities must notify individuals whose information is involved in a breach, as well as the media in some cases, unless the breached entity can document that there is low probability that the information was compromised.
The OCR guidelines list some of the activities required by HIPAA, which apply to ransomware attacks:
- Conducting a risk analysis to identify threats and vulnerabilities to electronic protected health information, as well as establishing ways to mitigate or remediate these identified risks.
- Implementing procedures to take precautions against malware.
- Training users to detect malware and report such detections.
- Limiting access to protected health information to people and software requiring such access.
- Maintaining disaster recovery, emergency operations, frequent data backups, and practice restorations.
The guidance also discusses ways to spot the signs of ransomware, as well as how to understand what it is and how it works.
Through ransomware, attackers encrypt data with a key known only to the attacker, making the data inaccessible to that data's authorized users. Attackers typically demand a ransom be paid before they will supply the key to decrypt the data.
HHS Secretary Sylvia Burwell recently highlighted ransomware in a June 20 letter she sent to chief executive officers of companies in the healthcare sector.
Earlier this month , ahead of the release of the new guidance, a pair of Congressmen asked for different HIPAA rules for malware and ransomware attacks.