The U.S. Department of Health and Human Services' Office for Civil Rights has issued guidance on how hospitals and medical practices can deal with the issue of ransomware.
There have been several recent attacks on U.S. hospitals by cyber extortionists using software known as ransomware, which encrypts data and demands that users pay to get it unlocked.
The Health Insurance Portability and Accountability Act security rule requires implementation of security measures that can help prevent the introduction of malware, including ransomware, says the guidance issued Monday.
This includes implementation of a security management process that includes a risk analysis to identify threats and vulnerabilities to electronic protected health information.
Procedures to ward against and detect malicious software should also be implemented, as well as controls to limit access to data, while users should be trained so they can assist in detecting malicious software, says the guidance.
“Because ransomware denies access to data, maintaining frequent backups and ensuring the ability to recover data from backups is crucial to recovering from a ransomware attack,” says the guidance.
Other issues discussed in the guidance include what covered entities should do if their computer systems are infected with ransomware; whether it is a HIPPA breach if ransomware infects a covered entity; and how covered entities can demonstrate there is a low probability personal health information has been compromised.
Gregory M. Fliszar, a member of law firm Cozen O'Connor in Philadelphia, said one thing that is new in the guidance is it makes it clear that in general, protected health information that is accessed as part of a ransomware attack would be considered a HIPAA breach that would trigger notification provisions.
The issue of stolen medical records extends beyond the health care industry, affecting 18 out of 20 industries examined by Verizon Communications Inc. in a study issued Thursday.