Covered entities and business associates attacked by ransomware may need to report the breach to the federal government, according to an HHS fact sheet.
Ransomware is a type of malicious software that makes a user’s data inaccessible by encrypting it with a key known only by the hacker, until a ransom is paid.
A recent increase in ransomware attacks on hospitals has caused the Department of Health and Human Services to release guidance on ransomware and HIPAA. Published July 11, the guidance clarifies federal privacy regulations that have been in effect since 2013.
The fact sheet says that any time electronic protected health information (PHI) is encrypted as the result of a ransomware attack, a breach has occurred.
In cases where e-PHI that was already encrypted to comply with HIPAA is encrypted with ransomware, it is not considered unsecured PHI and therefore a risk assessment and breach notification is not required.
Covered entities or business associates who suspect a breach has occurred must first conduct a four-factor risk assessment to determine the probability that PHI has been compromised. The risk assessment should include:
If a breach has occurred, the entity is required to comply with breach notification provisions. For breaches affecting over 500 individuals, this includes notifying customers, the HHS and media outlets.
The fact sheet also recommends entities infected with ransomware contact their local Federal Bureau of Investigation or Secret Service field office.
The Fact Sheet emphasizes that maintaining compliance with the HIPAA Security Rule can help covered entities and business associates prevent malware infections and recover from security incidents.
For example, the Security Rule requires covered entities and business associates to maintain an overall contingency plan and security incident procedures. According to the fact sheet, a strong security incident procedure should include processes to:
Design benefit plans and respond quickly and confidently to a range of potential issues with a free trial to the Benefits Practice Resource Center.
Notify me when updates are available (No standing order will be created).
Put me on standing order
Notify me when new releases are available (no standing order will be created)