OCR releases much-anticipated guidance on ransomware and HIPAA

Blue padlock

If a healthcare organization's computers are infected with ransomware, the government considers it a data breach unless there’s a “low probability” information has been compromised, according to much-anticipated guidance on ransomware and HIPAA from the Health and Human Services Department’s Office for Civil Rights.

“The guidance makes clear that a ransomware attack usually results in a ‘breach’ of healthcare information under the HIPAA Breach Notification Rule,” adds OCR Director Jocelyn Samuels in an announcement on the guidance.

If a breach is presumed to have occurred, the guidance says, then the organization must comply with breach notification provisions, which include notifying the effected patients, the secretary of HHS and the news media.

Free Daily Newsletter

Like this story? Subscribe to FierceHealthcare!

The healthcare sector remains in flux as policy, regulation, technology and trends shape the market. FierceHealthcare subscribers rely on our suite of newsletters as their must-read source for the latest news, analysis and data impacting their world. Sign up today to get healthcare news and updates delivered to your inbox and read on the go.

A majority of hospitals in the U.S. have been the target of a ransomware attack or could potentially become a victim, FierceHealthIT previously reported. In February, Hollywood Presbyterian Medical Center chose to pay ransomware hackers $17,000 after an attack disabled its networks. In March, a ransomware attack paralyzed MedStar Health’s computer systems.

The HHS guidance “reinforces” the ways HIPAA compliance helps prevent and detect security threats, such as requiring entities to conduct risk analysis, implement procedures to safeguard against malicious software, train employees to detect malicious software and limit access to protected health information to only those who need it to perform their jobs.

It also defines ransomware and outlines signs of such an intrusion, how to mitigate risk and the importance of backing up data.

“Organizations need to take steps to safeguard their data from ransomware attacks,” Samuels says. “HIPAA covered entities and business associates are required to develop and implement security incident procedures and response and reporting processes that are reasonable and appropriate to respond to malware and other security incidents.”

To learn more:
- here's the guidance (.pdf)
- read the announcement 

Suggested Articles

Humana filed suit Friday against more than a dozen generic drugmakers alleging the companies engaged in price fixing.

Ochsner Health System is partnering with Color to launch a population health pilot program to integrate genetic information into preventive care.

Medicare Advantage open enrollment kicked off last week, and insurers are taking new approaches to marketing a slate of supplemental benefit options.