The U.S. Department of Health and Human Services (HHS) Office for Civil Rights Released New HIPPA Guidance on Ransomware Attacks

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights Released New HIPPA Guidance on Ransomware Attacks

Posted on Thursday, July 14, 2016 6:35 PM

The U.S. Department of HHS Office for Civil Rights released new HIPAA guidance, preparing health care organizations on how to prevent, detect, contain and respond to ransomware threats. In addition, the guidance provides information on how ransomware works and how to detect its signs.

“One of the biggest current threats to health information privacy is the serious compromise of the integrity and availability of data caused by malicious cyber-attacks on electronic health information systems, such as through ransomware,” Jocelyn Samuels, Director, Office for Civil Rights, wrote in a blog post announcing the new guidance.

“Organizations need to take steps to safeguard their data from ransomware attacks. HIPAA covered entities and business associates are required to develop and implement security incident procedures and response and reporting processes that are reasonable and appropriate to respond to malware and other security incidents.”

The following activities are required by HIPAA, Samuels said, that can help prevent and respond to ransomware:
• Conducting a risk analysis to identify threats and vulnerabilities to electronic protected health information (ePHI) and establishing a plan to mitigate or remediate those identified risks
• Implementing procedures to safeguard against malicious software
• Training authorized users on detecting malicious software and report such detections
• Limiting access to ePHI to only those persons or software programs requiring access
• Maintaining a contingency plan that includes disaster recovery, emergency operations, frequent data backups, and test restorations

“The guidance makes clear that a ransomware attack usually results in a ‘breach’ of healthcare information under the HIPAA Breach Notification Rule. Under the Rule, and as noted in the guidance, entities experiencing a breach of unsecure PHI must notify individuals whose information is involved in the breach, HHS and, in some cases, the media, unless the entity can demonstrate (and document) that there is a ‘low probability’ that the information was compromised,” Samuels said.

Click here for more information on the HIPAA guidance.

For the full article, click here.


About Corridor

Corridor is the nation’s preferred partner and trusted business advisor to home health and hospice providers, providing quality services and impactful results for 30 years. Focusing on key operational, regulatory and financial challenges, Corridor delivering industry-unique solutions and deep expertise in coding, clinical documentation review, compliance, billing and collections , consulting and provider staff education . At Corridor, we make the business of caring for people Better! For the most important industry updates and news that impacts home health and hospice, please make sure to sign up for our weekly newsletter to receive the latest up-to-date industry information direct to your inbox!

For additional information, please contact Corridor at 1-866-263-3795.

Go Back

Explore Corridor’s Solutions

Share This Story, Choose Your Platform!