Electronic theft through hacking in healthcare continues to skyrocket in 2019. Headlines throughout the Summer described healthcare hacking incidents across the country, in all types of practices, affecting both providers and business associates. Ransomware is also on the rise.
Ransomware incidents create a special challenge because when it comes to ransomware and HIPAA, a ransomware attack is presumed to be a breach under the Breach Notification Rule, triggering the requirement for a breach investigation. Ransomware occurs when the cyber thief steals all of your data, encrypts it and puts it out of your reach until you pay a ransom.
Organizations who experience ransomware attacks often shut down for several days or weeks as they try to recover and investigate what happened. The costs can be staggering, and for patients, the loss of data can be life threatening in extreme cases.
Phishing is by far the most common way that hackers break into systems, by fooling an employee into clicking a link or attachment, or even convincing them to enter a password. The phishing emails look very real, even identical, to brands, apps or services commonly used. Or they appear to originate from a colleague or friend. Without training and practice, even sophisticated digital users can be fooled!
Ransomware and HIPAA Triggers Breach Notification Rule
The rules are clear. If ransomware involving protected health information occurs, the Office for Civil Rights (OCR) considers it a presumed breach. That means the Breach Notification Rule kicks in, requiring a risk assessment to determine whether there is a “low probability of compromise of the patient data”. Quoting the Ransomware Fact Sheet from the U.S. Department of Health and Human Services (HHS):
When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a “disclosure” not permitted under the HIPAA Privacy Rule. Unless the covered entity or business associate can demonstrate that there is a “…low probability that the PHI has been compromised,” based on the factors set forth in the Breach Notification Rule, a breach of PHI is presumed to have occurred. The entity must then comply with the applicable breach notification provisions, including notification to affected individuals without unreasonable delay, to the Secretary of HHS, and to the media (for breaches affecting over 500 individuals) in accordance with HIPAA breach notification requirements.
If the breach risk assessment reveals there is a low probability of compromise, then no further action under the Breach Notification Rule need to be taken – no notices to patients, to HHS or the media. An organization can turn to managing its internal response to the attack – conducting a forensic analysis, recovering data, and getting back to business.
HIPAA Compliance Helps with Ransomware and HIPAA
The two key elements to prevention and response when it comes to ransomware are technical defenses and cybersecurity training for staff. The HIPAA Privacy and Security Rules both require a Risk Analysis – Risk Management Plan, to be conducted annually, and updated on an ongoing basis. Having good anti-malware detection is a first line of defense, ensuring that all software patches are installed as soon as they become available, and conducting daily data backups all fall under the category of technical defenses.
Just as important as the technical defenses is security awareness training. Hackers are sophisticated in the ways they sneak into the room. They do it remotely, through social engineering – which simply means finding ways to make computer users (or users of any electronic device) comfortable so they’ll let down their guard and click or open something, allowing entry. Teaching people how to recognize phishing and to be wary and cautious, to NOT click, pays off.
If ransomware happens despite technical defenses and training, staff needs to know what to if an attack occurs, after the fact. Employees should immediately notify the IT security staff, or in a small organization, the business owner. The organization should start its contingency plan to contain the damage and continue operations as much as possible.
Follow The HIPAA E-Tool® for Help with Ransomware and HIPAA
Strong HIPAA compliance is a blueprint for protection against cybercrime. A Risk Analysis – Risk Management Plan, like the one in The HIPAA E-Tool® lays out all the steps to prepare and reduce the likelihood of a successful attack. It provides reminders about software patch updates, the importance of data backup, and guides contingency planning. It also contains cybersecurity training for staff, providing real life examples of phishing emails and how to avoid getting tricked. Technical safeguards and training are the keys – learn what they are and how to use them in The HIPAA E-Tool®.