HIPAA and Ransomware: What You Need to Know | HIPAA Compliance for Medical Practices | Scoop.it

When it comes to HIPAA and ransomware, there are some key responsibilities that health care professionals have when handling an incident. Following the regulation is essential to keeping your behavioral health practice out of the headlines and mitigating the risk to patients’ sensitive health data.

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has yet to release new regulation specifically in regards to HIPAA and ransomware. However, in 2016 after a string of ransomware attacks impacted hospitals and health services across North America, guidance was released about how to handle a ransomware incident should one impact your practice.

What is Ransomware?

Ransomware is a type of malware that infects your computer or network. The malicious software automatically encrypts your data, and then the hackers responsible demand a ransom in exchange for access.

Sometimes, the ransomware will even give health care providers a countdown: pay the ransom within the time allotted, or face permanently losing access to this electronic protected health information (ePHI). ePHI is any health care data that can be used to identify a patient that is stored in electronic format, such as electronic health records systems (EHRs).

How to Handle HIPAA and Ransomware

In the event of a ransomware incident, the first thing you should do is report the incident to local law authority. HHS guidance on the matter even goes so far as to include contacting the FBI, though this is only fully necessary for larger organizations such as hospital systems.

If you have reason to believe that ePHI has been accessed by the hackers, then you must also report the breach to OCR. If your organization already has an effective HIPAA compliance solution in place, then you should have full documentation in place that can prove to OCR investigators that you’ve done everything possible to prevent breaches.

Having a HIPAA compliance program in place can’t prevent a ransomware attack from occurring, but it’s your best defense against heavy federal fines in the event that a breach does occur. HIPAA fines have already reached $17.1 million in 2017 alone, which is set to outpace 2016’s record breaking $23.5 million.