The Department of Health and Human Services issued a Fact Sheet addressing Ransomware and HIPAA. Ransomeware is a type of malicious software that attempts to deny a user access to his or her own data until a ransom is paid. The user’s information is encrypted and the software directs the user to pay a fee to the hacker in order for the decryption key. The hacker can also set the ransomware to destroy data.
HHS reports that there has been a 300% increase in reported ransomware attacks between 2015 and 2016. Such attacks now average 4,000 a day.
The Fact Sheet describes how HIPAA compliance can assist in preventing and recovering from ransomware attacks. Specifically, HIPAA requires the following which can assist in mitigating potential harm from ransomware:
- Implementing a security management process, which includes conducting a risk analysis to identify threats and vulnerabilities and implementing security measures to mitigate or remediate risks;
- Implementing procedures to guard against and detect malicious software
- Training users on malicious software protection;
- Implementing access controls to limit access to electronic protected health information.
Frequently backing up and establishing data recovery processes is important in mitigating risks from a ransomware attack. Security incident procedures and response reporting processes are also crucial. A copy of the Fact Sheet is available by clicking here.