If a healthcare organization's computers are infected with ransomware, the government considers it a data breach unless there’s a “low probability” information has been compromised, according to much-anticipated guidance on ransomware and HIPAA from the Health and Human Services Department’s Office for Civil Rights.
“The guidance makes clear that a ransomware attack usually results in a ‘breach’ of healthcare information under the HIPAA Breach Notification Rule,” adds OCR Director Jocelyn Samuels in an announcement on the guidance.
If a breach is presumed to have occurred, the guidance says, then the organization must comply with breach notification provisions, which include notifying the effected patients, the secretary of HHS and the news media.
A majority of hospitals in the U.S. have been the target of a ransomware attack or could potentially become a victim, FierceHealthIT previously reported. In February, Hollywood Presbyterian Medical Center chose to pay ransomware hackers $17,000 after an attack disabled its networks. In March, a ransomware attack paralyzed MedStar Health’s computer systems.
The HHS guidance “reinforces” the ways HIPAA compliance helps prevent and detect security threats, such as requiring entities to conduct risk analysis, implement procedures to safeguard against malicious software, train employees to detect malicious software and limit access to protected health information to only those who need it to perform their jobs.
It also defines ransomware and outlines signs of such an intrusion, how to mitigate risk and the importance of backing up data.
“Organizations need to take steps to safeguard their data from ransomware attacks,” Samuels says. “HIPAA covered entities and business associates are required to develop and implement security incident procedures and response and reporting processes that are reasonable and appropriate to respond to malware and other security incidents.”