Ransomware Guidance Announced by OCR
In response to the increasing prevalence of ransomware cyber-attacks by hackers on electronic health information systems in hospitals and medical practices, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced on Monday July 11, 2016 its publication of new HIPAA guidance on ransomware (“Ransomware Guidance”). According to OCR:
Ransomware is a type of malware (or malicious software) that encrypts data with a key known only to the hacker and makes the data inaccessible to authorized users. After the data is encrypted, the hacker demands that authorized users pay a ransom (usually in a cryptocurrency such as Bitcoin to maintain anonymity) in order to obtain a key to decrypt the data.
Notably, the HIPAA Security Rule already requires implementation of security measures to help covered entities and business associates prevent the introduction of malware (e.g., ransomware) into their systems, and to implement policies and procedures to assist in responding to ransomware attacks. The Ransomware Guidance addresses, among other areas, how to implement security measures in order to prevent, mitigate the chances of, or even recover from ransomware attacks. Not surprisingly, conducting a risk analysis (or risk assessment) is at the core of covered entities and business associates implementing security management processes as required by the HIPAA Security Rule. The Ransomware Guidance further notes that maintaining an overall contingency plan, as required by the Security Rule, that includes disaster recovery planning, emergency operations planning and frequent backups of data can also help covered entities and business associates respond to and recover from malware infections, including ransomware attacks.