Recent Guidance on Ransomware, HIPAA, and Cyber Incident Reporting
August 3, 2016
The Department of Health and Human Services (HHS) recently released guidance for health care entities to better understand and respond to the increased threats of ransomware. The guidance was published on July 11, 2016, and provides clarification regarding the interplay of ransomware and HIPAA, specifically that (1) a ransomware attack is a “security incident” under HIPAA, and (2) a ransomware attack is a “breach” under HIPAA unless an entity can demonstrate that there is a “low probability of compromise.”
Ransomware is a type of malware that encrypts data making it inaccessible to authorized users until a ransom payment is made. Ransomware can infect devices and systems through spam, phishing messages, websites, and email attachments when users click on a malicious link or open an attachment.
Health care organizations should focus on its risk assessment processes to address ransomware risks. This should include developing and implementing security incident procedures and response reporting processes to respond to malware and other security incidents. The guidance can be accessed through the following link: HHS Guidance.
Late last week, the Department of Homeland Security also released guidance on cyber incident reporting. The guidance addresses when, what, and how to report a cyber incident to the Federal Government. The fact sheet can be accessed through the following link: DHS Fact Sheet.
This article was authored by Lindsay D. Petrosky, Jackson Kelly PLLC.