We’ve written a lot about ransomware in the last year. It’s a serious data security risk and can cause complete data loss, even if you pay the ransom. Dealing with any data loss takes a toll on a business in terms of customer trust, downtime, lost revenue, and security. But, combine that loss with personal health information (PHI), and you’ve got a far bigger problem.
In July, we published a blog, Ransomware Attacks on Hospitals becoming an Epidemic, because there is definitely a trend in these attacks on health facilities. Why would hospitals be a preferred target? Because they can’t afford to lose access to health records.
Detecting and addressing a ransomware attack is a very stressful situation. When it comes to medical records, we now have a far more complex situation. HIPAA compliance rules are very strict and the penalties for violation can be steep. But, the U.S. Department of Health and Human Services suggests that HIPAA compliance can in fact reduce the likelihood of an attack as well as aid in the recovery after the fact. The full details were published in a fact sheet about HIPAA compliance as it relates to ransomware that may be useful.
How HIPAA Compliance reduces likelihood of attack
While there is no guaranteed prevention from being a victim of this breed of malware, following the HIPAA Security Rule can certainly reduce the likelihood. These measures align with smart computer business practices we should all follow. Some of the required security measures are as follows:
- Implementing a security management process, which includes conducting a risk analysis to identify threats and vulnerabilities to electronic protected health information (ePHI) and implementing security measures to mitigate or remediate those identified risks
- Implementing procedures to guard against and detect malicious software
- Training users on malicious software protection so they can assist in detecting malicious software and know how to report such detections
- Implementing access controls to limit access to ePHI to only those persons or software programs requiring access
How HIPAA Compliance aids in recovery after attack
We preach it all the time, but the HHS agrees: The only way to achieve maximum recovery from an attack is backup and recovery. The HIPAA Security Rule will help here too. From the fact sheet:
Because ransomware denies access to data, maintaining frequent backups and ensuring the ability to recover data from backups is crucial to recovering from a ransomware attack. Test restorations should be periodically conducted to verify the integrity of backed up data and provide confidence in an organization’s data restoration capabilities. Because some ransomware variants have been known to remove or otherwise disrupt online backups, entities should consider maintaining backups offline and unavailable from their networks.
Implementing a data backup plan is a Security Rule requirement for HIPAA covered entities and business associates as part of maintaining an overall contingency plan. Additional activities that must be included as part of an entity’s contingency plan include: disaster recovery planning, emergency operations planning, analyzing the criticality of applications and data to ensure all necessary applications and data are accounted for, and periodic testing of contingency plans to ensure organizational readiness to execute such plans and provide confidence they will be effective.
If HIPAA Compliance is part of your business, consider attending our webinar.