- HHS' Office for Civil rights has released new guidance to help healthcare organizations better understand and respond to the threat of ransomware.
- "One of the biggest current threats to health information privacy is the serious compromise of the integrity and availability of data caused by malicious cyber-attacks on electronic health information systems, such as through ransomware," Jocelyn Samuels, director at OCR, said in a prepared statement.
- The guidance reinforces HIPAA-required activities which organizations can use to prevent, detect, contain, and respond to threats.
The media coverage of ransomware largely came in vogue this February when Hollywood Presbyterian Medical Center in Los Angeles paid the equivalent of $17,000 in bitcoins to a hacker to regain control of its computer systems.
A month later, the Columbia, MD-based MedStar was forced to disable its computer network after a virus prevented users from logging into the system. This is under the scope that a poll conducted by Health IT News and HIMSS Analytics found up to 75% of hospitals surveyed could have been hit by ransomware over the past year.
OCR's guidance includes:
- Conducting a risk analysis to identify threats and vulnerabilities to electronic protected health information (ePHI) and establishing a plan to mitigate or remediate those identified risks;
- Implementing procedures to safeguard against malicious software;
- Training authorized users on detecting malicious software and report such detections;
- Limiting access to ePHI to only those persons or software programs requiring access; and
- Maintaining an overall contingency plan that includes disaster recovery, emergency operations, frequent data backups, and test restorations.