Ransomware and HIPAA

Ransomware and HIPAA: the Federal Government has recently issued two resource documents: the first discusses protecting your network from ransomware, the second, a Ransomware and HIPAA fact sheet.  Both are worth reviewing for ideas on how to protect your electronic health information.

Protecting your Networks from Ransomware

This is a somewhat technical document that describes how many ransomware attacks take place, with emphasis on how to prevent them in the first place.  Some of the most important strategies include:

  • Employee training on opening emails from an unknown sender or organization.
  • Utilizing strong spam filters and authentication technologies.
  • Scanning incoming and outgoing emails to detect threats and filter out executable files.
  • Configuring firewalls, and keeping software up to date.
  • Scanning for viruses and malware regularly.
  • Routinely backing up data, keeping the back-ups away from electronic connection to the system.
  • There are additional technical strategies that your IT professional should implement.

What to do if you are infected with Ransomware

If your prevention strategies fail, what should you do?

  • Isolate the infected computer immediately, and make sure your back-ups are isolated or off line.
  • Contact Law Enforcement.  Some providers may be reluctant to take this step, fearing negative publicity.  Ransomware events are too critical, not to.  But the negatively publicity may come anyway, and you will need help to cope with demands for ransom of your data.
  • Change all online account passwords; after the malware is removed, change system passwords as well.
  • Implement you security incident response plan – which you should have if you are a HIPAA covered entity or a business associate!

Ransomware and HIPAA

The Ransomware and HIPAA Fact Sheet also contains recommendations on preventing infections of malware, which can lead to ransom demands:

  • Conduct a risk analysis to identify threats and vulnerabilities to ePHI and implement security measures to mitigate or remediate those risks.
  • Implement procedures to guard against and detect malicious software.
  • Train users on malicious software protection and how to report suspected infections.
  • Implement access controls to limit access to ePHI.
  • Keep all firmware up to date; some ransomware attacks make use of outdated firmware to infect systems or applications.
  • Keep your backups secure from the rest of your network, and make sure you can restore your data from the backups.
  • Incorporate procedures related to a ransomware attack into your security incident procedures.

Ransomware and HIPAA Violations

Could infection by malicious software and ransom demands lead to a finding of HIPAA violations?  Yes! 

  • The OCR considers encryption of your ePHI by malicious software to be an unauthorized disclosure not permitted under the Privacy Rule.  Unless you can reasonably conclude there is a low probability that the PHI has been compromised, you are required to comply with the applicable breach notification provisions.  This will require a forensic investigation of the nature of the malware and what it is designed to do.  (Can you see the $ signs increasing as you read this?)
  • An investigation by the OCR of a breach will cover every aspect of the Privacy and Security Rules.  Violations can be found related to:
    • Inadequate employee training,
    • Incomplete software and firmware updates,
    • Inadequate security response procedures, and
    • Lack of a current HIPAA risk assessment.

The stakes with respect to protecting ePHI keep increasing.  You will spend more to prevent successful ransomware attacks, and potentially a lot more reacting to a successful attack.  Of course, you should have cyber insurance coverage in place, but your cyber insurance carrier expects you to keep systems up to date and employees properly trained, too.

Electronic health records and other forms of ePHI are a great advance over paper records, but they require a high level of vigilance to protect them.  Don’t become another statistic on the OCR “Wall of Shame” listing major breaches!

When you need proven expertise and performance

Jim Hook, MPH

Mr. James D. Hook has over 30 years of healthcare executive management and consulting experience in medical groups, hospitals, IPA’s, MSO’s, and other healthcare organizations.