HIPAA rules for Ransomware Threats!


Ransomware happens to be the fastest growing malware threats to companies of all types. And this was concluded in the recent US Government Interagency report which enclosed Healthcare facilities as prime targets.

As the world is witnessing a surge in malware attacks, The Office for Civil Rights (OCR) and the US Department of Health has posted a new checklist for HIPAA-covered entities and their business associates.

Thus, the new set of guidelines is to be used by health care companies when responding to cyber-related security attacks.

Apparently the guide also helps entities in evaluating a breach notification as soon as a ransomware attack takes place and helps them to prevent and recover from all variants of malware strikes.

Cybersecurity Insiders has the briefing on the new set of guidelines and here they are as follows-

HIPAA Security Rule requires covered entities and business associates to have reasonable and appropriate procedures in place to respond to a security incident, including a cyber attack. The procedures must include identification and response to the incident, mitigating harmful effects, and digitally documenting the incident and its outcome and sharing it with law enforcement as a mandatory procedure.

For ransomware attacks, in particular, OCR has directed companies covered under HIPAA to record the scope of the incident, the origin of the event, where the incident has taken place, how the incident occurred and what steps are/have been taken to prevent the current and future attacks.

After the initial analysis, OCR has advised affected organizations to take the additional steps which are as follows-

A.) Contain the impact and propagation of ransomware

B.) Eradicate the malicious software and mitigate the vulnerabilities which allowed the attack to take place

C.) Restore lost data with a data continuity plan to restore business continuity

D.) And finally, conduct a post-incident analysis that incorporates lessons that have been learned from the attack and to improve incident responsiveness on such issues in future.

Finally, the bottom line is that healthcare companies have a wealth of information to be exploited by cyber criminals. And as more and more entities are showing interest in digitizing patient health records, cyber crooks are finding this info more valuable than credit card info.

Therefore, under these circumstances, ransomware and other cyber threats are capable of wiping-out patient and public related health data on a massive scale. Thus, companies should not only see that they are in compliance with the Security Rules but must also ensure that they have proactive steps on hand to prevent and recover from a ransomware attack.

NOTE- HIPAA is an acronym for Health Insurance Portability and Accountability Act of  1996. In simple terms, it is legislation passed out by US law enforcement to provide data privacy and security provisions for safeguarding medical info.

Naveen Goud
Naveen Goud is a writer at Cybersecurity Insiders covering topics such as Mergers & Acquisitions, Startups, Cyber Attacks, Cloud Security and Mobile Security

No posts to display