HIPAA’s guidelines need to be understood to prepare for, prevent, respond and recover ransomware

Ransomware is dangerous and malicious software that infects the operating systems of computers that are vulnerable. It blocks access to files, and demands a ransom for releasing it. After the ransom is paid, usually in the form of virtual cash, through means such as Bitcoin, the block may be released. Many ransomware attacks, like ransom seekers in real life, blackmail and harass the victim for prolonged periods of time. Sometimes, ransomware can block the user’s access to the entire device.

This is how ransomware usually spreads within networks: It appears as a seemingly innocuous mail, asking users to carry out the simplest of tasks such as opening attachments to get a surprise. Of course, most unsuspecting users would not be aware of the magnitude of such a surprise.

Once the user does this in anticipation of a ‘reward’; utter chaos could follow. The ransomware can cause disruption in entire affiliated networks. To set the whole damage right; it could take colossal efforts, lots of time, and unspeakable stress and tension.

HIPAA has guidelines on how to deal with ransomware

It is but natural that there is a high degree of unease and anxiety among people in the US who deal with computer networks, given the extent to which the recent WannaCry ransomware attack spread panic over most parts of Europe and in other locations. Healthcare providers in the US are all the more worried because this ransomware attacked the National Health Service systems in the UK in particular. That they could be the next target is a strong possibility, which is why most healthcare providers need to take major steps to prevent such a ransomware attack. In fact, this recent WannaCry attack is only the latest in a series of attacks, of various types, on healthcare records. An extremely high number of over 100 million medical records were targeted in more than 250 different cyber incidents in the year 2015 alone.

Measures suggested by HIPAA

In view of these facts, and given its primary responsibility of ensuring the security, integrity and availability of medical records; HIPAA has come up with security measures aimed at preventing and countering these attacks. Predictably, these measures are pretty strong and stringent. The HIPAA Security Rule makes it a requirement from Business Associates and Covered Entities to carry out these tasks to check ransomware attacks:

• Training needs to be imparted to users, consisting of both staff and the patients, on how to spot malware
• Putting a security management process in place, the centerpiece of which is carrying out a Risk Analysis to identify the threats and to mitigate risks
• Discussing the nature and enormity of the problem with patients and educating them on what they can and need to do to prevent attacks
• Limiting the access to records and any sensitive information they contain
• Taking appropriate data backups
• Conceiving and implementing a disaster recovery program
• Reporting and implementing security incident responses as laid out in 45 CFR 164.308 (a) (6)

Effectiveness of these measures is difficult to assess

All the diligence on the part of the HHS notwithstanding; it has a long way to go in implementing HIPAA rules on ransomware. What does it do when, for instance, a PHI is never accessed? How does it term such an action as a breach of data security, when its own rules clearly state that reporting should be done only when there is a breach? What this means is that while some cases of PHI data breach get reported, many more don’t.

Education on how to deal with ransomware

A webinar from MentorHealth, a leading provider of professional trainings for the healthcare industry will set all these doubts at rest. The speaker at this webinar, Paul Hales, an expert on HIPAA Privacy, Security, Breach notification and Enforcement Rules with a national HIPAA consulting practice based in St. Louis, will show how to put these measures as required by HIPAA.

Please register for this webinar . This course is approved for 1 general credit from the Nevada Board of Continuing Legal Education.

At this webinar, Paul will explain everything relating to ransomware. The learning includes topics such as the HIPAA rules that relate to ransomware, what kind of “social engineering” tricks hackers use to fill ransomware into systems, how an organization can prepare itself when it is subjected to a ransomware attack, and best practices for preventing, preparing, responding and recovering from attacks.

He will also cover other areas at this webinar, and these include:

• How to do a HIPAA Breach Risk Assessment to determine if a Ransomware attack resulted in a HIPAA Breach - or not - if the assessment demonstrates a low probability of compromise to PHI
• What the HIPAA Breach Notification Rule requires when a Ransomware attack does result in a Breach of Unsecured PHI
• The interconnected roles and responsibilities of Covered Entities and Business Associates under the HIPAA Breach Notification Rule concerning Ransomware attacks