Login

Help

BI’s Article search uses Boolean search capabilities. If you are not familiar with these principles, here are some quick tips.

To search specifically for more than one word, put the search term in quotation marks. For example, “workers compensation”. This will limit your search to that combination of words.

To search for a combination of terms, use quotations and the & symbol. For example, “hurricane” & “loss”.

Login Register Subscribe

HHS offers advice for health care industry to guard against malware

Reprints
Benefits Legislation & Regulation Health Care Benefits Regulation Health Insurers More + Less -
HHS offers advice for health care industry to guard against malware

The U.S. Department of Health and Human Services' Office for Civil Rights has issued guidance on how hospitals and medical practices can deal with the issue of ransomware.

There have been several recent attacks on U.S. hospitals by cyber extortionists using software known as ransomware, which encrypts data and demands that users pay to get it unlocked.

The Health Insurance Portability and Accountability Act security rule requires implementation of security measures that can help prevent the introduction of malware, including ransomware, says the guidance issued Monday.

This includes implementation of a security management process that includes a risk analysis to identify threats and vulnerabilities to electronic protected health information.

Procedures to ward against and detect malicious software should also be implemented, as well as controls to limit access to data, while users should be trained so they can assist in detecting malicious software, says the guidance.

“Because ransomware denies access to data, maintaining frequent backups and ensuring the ability to recover data from backups is crucial to recovering from a ransomware attack,” says the guidance.

Other issues discussed in the guidance include what covered entities should do if their computer systems are infected with ransomware; whether it is a HIPPA breach if ransomware infects a covered entity; and how covered entities can demonstrate there is a low probability personal health information has been compromised.

Gregory M. Fliszar, a member of law firm Cozen O'Connor in Philadelphia, said one thing that is new in the guidance is it makes it clear that in general, protected health information that is accessed as part of a ransomware attack would be considered a HIPAA breach that would trigger notification provisions.

Read Next

Related Stories

Most Read in Risk Management

Sign up for Daily Briefing, the free email newsletter from Business Insurance.

About

Advertise

Reprints and Licensing

Resources

. Privacy PolicyTerms of Use

COPYRIGHT © 2024 BUSINESS INSURANCE HOLDINGS

Member, Beacon International Group, Ltd.