Dive Brief:
- HHS' Office for Civil rights has released new guidance to help healthcare organizations better understand and respond to the threat of ransomware.
- "One of the biggest current threats to health information privacy is the serious compromise of the integrity and availability of data caused by malicious cyber-attacks on electronic health information systems, such as through ransomware," Jocelyn Samuels, director at OCR, said in a prepared statement.
- The guidance reinforces HIPAA-required activities which organizations can use to prevent, detect, contain, and respond to threats.
Dive Insight:
The media coverage of ransomware largely came in vogue this February when Hollywood Presbyterian Medical Center in Los Angeles paid the equivalent of $17,000 in bitcoins to a hacker to regain control of its computer systems.
A month later, the Columbia, MD-based MedStar was forced to disable its computer network after a virus prevented users from logging into the system. This is under the scope that a poll conducted by Health IT News and HIMSS Analytics found up to 75% of hospitals surveyed could have been hit by ransomware over the past year.
OCR's guidance includes:
- Conducting a risk analysis to identify threats and vulnerabilities to electronic protected health information (ePHI) and establishing a plan to mitigate or remediate those identified risks;
- Implementing procedures to safeguard against malicious software;
- Training authorized users on detecting malicious software and report such detections;
- Limiting access to ePHI to only those persons or software programs requiring access; and
- Maintaining an overall contingency plan that includes disaster recovery, emergency operations, frequent data backups, and test restorations.