News Feature | July 20, 2016

Ransomware Response Guidance Released

Christine Kern

By Christine Kern, contributing writer

Ransomware

OCR guidance is designed to help safeguard health information privacy.

In an effort to help better safeguard health information privacy, the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has released guidance to help healthcare organizations better understand and respond to the threat of ransomware.

“One of the biggest current threats to health information privacy is the serious compromise of the integrity and availability of data caused by malicious cyber-attacks on electronic health information systems, such as through ransomware,” Jocelyn Samuels, director at OCR, said in a prepared statement.

Ransomware attacks against healthcare organizations have been on the rise as hospitals and practices have been slower than other industries to implement the latest cybersecurity safeguards to prevent attacks. This has made them attractive targets for cybercriminals. In fact, according to a recent poll, the majority of U.S. hospitals have been targeted by at least one ransomware attack in the past year.

As vice president of business development at BitSight Technologies, Jacob Olcott wrote, “With the scale of recent data breaches that have taken place, ransomware attacks are a great cause for concern. In the [recent] data breaches, healthcare organizations were compromised, exposing millions of medical and financial records. These breaches didn’t involve ransomware, but they represent the large degree of damage resulting from breaches in this industry. Given the sheer volume of data lost or compromised, it’s conceivable criminals could be asking for sums much larger than $17,000 in the near future.”

The guidance reinforces HIPAA-required activities which organizations can implement to prevent, detect, contain, and respond to threats. OCR’s guidance include:

  • Conducting a risk analysis to identify threats and vulnerabilities to electronic protected health information (ePHI) and establishing a plan to mitigate or remediate those identified risks;
  • implementing procedures to safeguard against malicious software;
  • training authorized users on detecting malicious software and report such detections;
  • limiting access to ePHI to only those persons or software programs requiring access; and
  • maintaining an overall contingency plan that includes disaster recovery, emergency operations, frequent data backups, and test restorations.