The U.S. Department of Health and Human Services Office for Civil Rights (OCR) recently released guidance on how healthcare organizations can help prevent and address malicious software (i.e. Ransomware, Malware, Virus, etc.) attacks. The document includes specific information around how to prevent attacks, an in depth description of ransomware and steps to take in the event a covered entity or business associate is required to address a ransomware event.
Much of the document is a reinforcement of current HIPAA guidelines and requirements that assist in preventing security related breaches, including malware and ransomware. Specific guidance in this document includes:
“conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of the ePHI the entities create, receive, maintain, or transmit and to implement security measures sufficient to reduce those identified risks and vulnerabilities to a reasonable and appropriate level.”
This statement reiterates the need to ensure all covered entities and business associates perform and take action on their annual risk assessments. In the past, Director Samuels has stated that “an enterprise-wide risk assessment is the cornerstone of compliance.” Many fines related to the HIPAA Security Rule are directly related to covered entities and business associates not completing or implementing finds from a thorough risk assessment.
“implement policies and procedures that can assist an entity in responding to and recovering from a ransomware attack.”
Make sure your written policies and procedures include steps to safeguard against malicious software as well as respond to and recover data lost in a malicious software attack.
Ensure that the “workforce receive appropriate security training, including training for detecting and reporting instances of malicious software, can thus assist entities in preparing their staff to detect and respond to ransomware.”
Your standard HIPAA training should include security related topics such as “How to identify a phishing email”, “How to identify if I have become a victim of a malicious software attack”, “How to avoid social engineering”, etc.
“implementing access controls to limit access to ePHI to only those persons or software programs requiring access.”
Your written policies and procedures should include direction on user logins, passwords, required access for job specific roles, etc.
“implementation of robust contingency plans including disaster recovery and data backup plans. “
Your policies and procedures should outline how you will recover from a disaster, how your organization backups up its critical data, and how often to test the recovery from these backups. Also consider adding business continuity and emergency operations to these documents.
Implementing Full Disk Encryption on your devices does not mean the data cannot be compromised.
The document goes into great detail on this subject. In a nutshell, full disk encryption protects your data when the device has been properly shut down and powered off. This protection is not sufficient in the case of a malicious software attack as full disk encryption is most often transparently decrypted after an authorized user logs into the device. This would include laptops, ipads, and phones.
Hopefully, your organization already has many of these items in place. If not, please contact me at firstname.lastname@example.org and I will be happy to go over how to meet your specific HIPAA requirements.
You can find the full version of the document at the HHS Office for Civil Rights website.