Online Safety Community

HIPAA’s guidelines need to be understood to prepare for, prevent, respond and recover ransomware

Ransomware is dangerous and malicious software that infects the operating systems of computers that are vulnerable. It blocks access to files, and demands a ransom for releasing it. After the ransom is paid, usually in the form of virtual cash, through means such as Bitcoin, the block may be released. Many ransomware attacks, like ransom seekers in real life, blackmail and harass the victim for prolonged periods of time. Sometimes, ransomware can block the user’s access to the entire device.

This is how ransomware usually spreads within networks: It appears as a seemingly innocuous mail, asking users to carry out the simplest of tasks such as opening attachments to get a surprise. Of course, most unsuspecting users would not be aware of the magnitude of such a surprise.

Once the user does this in anticipation of a ‘reward’; utter chaos could follow. The ransomware can cause disruption in entire affiliated networks. To set the whole damage right; it could take colossal efforts, lots of time, and unspeakable stress and tension.

HIPAA has guidelines on how to deal with ransomware

It is but natural that there is a high degree of unease and anxiety among people in the US who deal with computer networks, given the extent to which the recent WannaCry ransomware attack spread panic over most parts of Europe and in other locations. Healthcare providers in the US are all the more worried because this ransomware attacked the National Health Service systems in the UK in particular. That they could be the next target is a strong possibility, which is why most healthcare providers need to take major steps to prevent such a ransomware attack. In fact, this recent WannaCry attack is only the latest in a series of attacks, of various types, on healthcare records. An extremely high number of over 100 million medical records were targeted in more than 250 different cyber incidents in the year 2015 alone.

Measures suggested by HIPAA

In view of these facts, and given its primary responsibility of ensuring the security, integrity and availability of medical records; HIPAA has come up with security measures aimed at preventing and countering these attacks. Predictably, these measures are pretty strong and stringent. The HIPAA Security Rule makes it a requirement from Business Associates and Covered Entities to carry out these tasks to check ransomware attacks:

  • Training needs to be imparted to users, consisting of both staff and the patients, on how to spot malware
  • Putting a security management process in place, the centerpiece of which is carrying out a Risk Analysis to identify the threats and to mitigate risks
  • Discussing the nature and enormity of the problem with patients and educating them on what they can and need to do to prevent attacks
  • Limiting the access to records and any sensitive information they contain
  • Taking appropriate data backups
  • Conceiving and implementing a disaster recovery program
  • Reporting and implementing security incident responses as laid out in 45 CFR 164.308 (a) (6)

Effectiveness of these measures is difficult to assess

All the diligence on the part of the HHS notwithstanding; it has a long way to go in implementing HIPAA rules on ransomware. What does it do when, for instance, a PHI is never accessed? How does it term such an action as a breach of data security, when its own rules clearly state that reporting should be done only when there is a breach? What this means is that while some cases of PHI data breach get reported, many more don’t.

Education on how to deal with ransomware

A webinar from MentorHealth, a leading provider of professional trainings for the healthcare industry will set all these doubts at rest. The speaker at this webinar, Paul Hales, an expert on HIPAA Privacy, Security, Breach notification and Enforcement Rules with a national HIPAA consulting practice based in St. Louis, will show how to put these measures as required by HIPAA.

Please register for this webinar . This course is approved for 1 general credit from the Nevada Board of Continuing Legal Education.

At this webinar, Paul will explain everything relating to ransomware. The learning includes topics such as the HIPAA rules that relate to ransomware, what kind of “social engineering” tricks hackers use to fill ransomware into systems, how an organization can prepare itself when it is subjected to a ransomware attack, and best practices for preventing, preparing, responding and recovering from attacks.

He will also cover other areas at this webinar, and these include:

  • How to do a HIPAA Breach Risk Assessment to determine if a Ransomware attack resulted in a HIPAA Breach - or not - if the assessment demonstrates a low probability of compromise to PHI
  • What the HIPAA Breach Notification Rule requires when a Ransomware attack does result in a Breach of Unsecured PHI
  • The interconnected roles and responsibilities of Covered Entities and Business Associates under the HIPAA Breach Notification Rule concerning Ransomware attacks

Views: 4

Comment

You need to be a member of Online Safety Community to add comments!

Join Online Safety Community

Take our poll!

Take our poll!

Latest Activity

Adam Fleaming posted a blog post

When SSARS does and does not Apply to Preparation Engagements

The Statement on Standards for Accounting and Review Services (SSARS) is a section of the professional standards set out by The American Institute of CPA’s (AICPA), seeking to review earlier standards for reviewing and compiling financial statements and setting out the terms of engagement between the CPA’s and the parties. This section has…See More
54 minutes ago
John Robinson shared their discussion on Twitter
57 minutes ago
John Robinson posted a discussion

Risk Management Solutions

Risk is defined as the potential hazard, harm or side effect of an activity. Almost all activities come with some or another form of risk, which needs to be mitigated or eliminated. Risk management is a major issue for regulatory compliance professionals. Our resources directory is a medium that helps them understand and overcome challenges. A few ISO standards, such as ISO 9004 cover risk management.Risk Management is a key component of ISO 9004:2000There is an intricate link between ISO…See More
57 minutes ago
John Robinson posted blog posts
1 hour ago

Forum

Risk Management Solutions

Risk is defined as the potential hazard, harm or side effect of an activity. Almost all activities come with some or another form of risk, which needs to be mitigated or eliminated. Risk management…Continue

Tags: risk, Banking, management, healthcare, Process

Started by John Robinson 57 minutes ago.

Occupational Health and Safety 4 Replies

Health and safety are important aspects of an organisation’s smooth and effective functioning.  Did you know that workplace health & safety injuries cost Australian businesses over $60 billion…Continue

Tags: Safety, and, Health, Occupational

Started by WHS Solutions. Last reply by John Robinson 22 hours ago.

Introduction to PEGA-PRPC

Pega/PRPC is a popular rules engine and BPM tool from Pega systems that is gaining good market share among large corporations. Architects and developers build the Pega/PRPC instance while…Continue

Tags: training, course, online, pega

Started by Soujanya Naganuri Oct 6.

Introduction to PEGA-PRPC

Pega/PRPC is a popular rules engine and BPM tool from Pega systems that is gaining good market share among large corporations. Architects and developers build the Pega/PRPC instance while…Continue

Tags: training, course, online, pega

Started by Soujanya Naganuri Oct 6.

Introduction to PEGA-PRPC

Pega/PRPC is a popular rules engine and BPM tool from Pega systems that is gaining good market share among large corporations. Architects and developers build the Pega/PRPC instance while…Continue

Tags: training, course, online, pega

Started by Soujanya Naganuri Oct 6.

Badge

Loading…

© 2017   Created by Safety Community.   Powered by

Badges  |  Report an Issue  |  Terms of Service