Online Safety Community

HIPAA’s guidelines need to be understood to prepare for, prevent, respond and recover ransomware

Ransomware is dangerous and malicious software that infects the operating systems of computers that are vulnerable. It blocks access to files, and demands a ransom for releasing it. After the ransom is paid, usually in the form of virtual cash, through means such as Bitcoin, the block may be released. Many ransomware attacks, like ransom seekers in real life, blackmail and harass the victim for prolonged periods of time. Sometimes, ransomware can block the user’s access to the entire device.

This is how ransomware usually spreads within networks: It appears as a seemingly innocuous mail, asking users to carry out the simplest of tasks such as opening attachments to get a surprise. Of course, most unsuspecting users would not be aware of the magnitude of such a surprise.

Once the user does this in anticipation of a ‘reward’; utter chaos could follow. The ransomware can cause disruption in entire affiliated networks. To set the whole damage right; it could take colossal efforts, lots of time, and unspeakable stress and tension.

HIPAA has guidelines on how to deal with ransomware

It is but natural that there is a high degree of unease and anxiety among people in the US who deal with computer networks, given the extent to which the recent WannaCry ransomware attack spread panic over most parts of Europe and in other locations. Healthcare providers in the US are all the more worried because this ransomware attacked the National Health Service systems in the UK in particular. That they could be the next target is a strong possibility, which is why most healthcare providers need to take major steps to prevent such a ransomware attack. In fact, this recent WannaCry attack is only the latest in a series of attacks, of various types, on healthcare records. An extremely high number of over 100 million medical records were targeted in more than 250 different cyber incidents in the year 2015 alone.

Measures suggested by HIPAA

In view of these facts, and given its primary responsibility of ensuring the security, integrity and availability of medical records; HIPAA has come up with security measures aimed at preventing and countering these attacks. Predictably, these measures are pretty strong and stringent. The HIPAA Security Rule makes it a requirement from Business Associates and Covered Entities to carry out these tasks to check ransomware attacks:

  • Training needs to be imparted to users, consisting of both staff and the patients, on how to spot malware
  • Putting a security management process in place, the centerpiece of which is carrying out a Risk Analysis to identify the threats and to mitigate risks
  • Discussing the nature and enormity of the problem with patients and educating them on what they can and need to do to prevent attacks
  • Limiting the access to records and any sensitive information they contain
  • Taking appropriate data backups
  • Conceiving and implementing a disaster recovery program
  • Reporting and implementing security incident responses as laid out in 45 CFR 164.308 (a) (6)

Effectiveness of these measures is difficult to assess

All the diligence on the part of the HHS notwithstanding; it has a long way to go in implementing HIPAA rules on ransomware. What does it do when, for instance, a PHI is never accessed? How does it term such an action as a breach of data security, when its own rules clearly state that reporting should be done only when there is a breach? What this means is that while some cases of PHI data breach get reported, many more don’t.

Education on how to deal with ransomware

A webinar from MentorHealth, a leading provider of professional trainings for the healthcare industry will set all these doubts at rest. The speaker at this webinar, Paul Hales, an expert on HIPAA Privacy, Security, Breach notification and Enforcement Rules with a national HIPAA consulting practice based in St. Louis, will show how to put these measures as required by HIPAA.

Please register for this webinar . This course is approved for 1 general credit from the Nevada Board of Continuing Legal Education.

At this webinar, Paul will explain everything relating to ransomware. The learning includes topics such as the HIPAA rules that relate to ransomware, what kind of “social engineering” tricks hackers use to fill ransomware into systems, how an organization can prepare itself when it is subjected to a ransomware attack, and best practices for preventing, preparing, responding and recovering from attacks.

He will also cover other areas at this webinar, and these include:

  • How to do a HIPAA Breach Risk Assessment to determine if a Ransomware attack resulted in a HIPAA Breach - or not - if the assessment demonstrates a low probability of compromise to PHI
  • What the HIPAA Breach Notification Rule requires when a Ransomware attack does result in a Breach of Unsecured PHI
  • The interconnected roles and responsibilities of Covered Entities and Business Associates under the HIPAA Breach Notification Rule concerning Ransomware attacks

Views: 7

Comment

You need to be a member of Online Safety Community to add comments!

Join Online Safety Community

Take our poll!

Take our poll!

Latest Activity

Mark Nilson posted an event

Guidelines for Performing a Vendor Audit with an emphasis on Construction Audit at Training Doyens 26468 E Walker Dr,Aurora, Colorado

April 3, 2018 from 1pm to 2:30pm
OVERVIEWVendor/Contract audits require a certain skill set to understand the terms and conditions of a contract between a Company and any given vendor where products or services are outsourced.  Understanding the risks that are inherent within them is the first step in developing audit objectives and steps. The primary focus of the audit is the vendor (third party) activities pertinent to a contract. A majority of the fieldwork on these types of audits will likely be performed at the Vendor’s…See More
15 hours ago
gracylayla posted an event

How to begin your career in IBM API Connect? at 4608 Spalding, plano TX 75024 United States

February 19, 2018 to February 19, 2019
IBM API Connect is a complete API lifecycle management solution that will make things easier for developers, Central IT, and LoB Management. The thought behind API Connect is that APIs are small data applications, often called microservices, but they are applications nonetheless.IBM API Management with a built-in gateway, allowing you to create, run, manage, and secure APIs and Microservices. API Connect is the first of its kind: a unified end-to-end API management solution that enables the…See More
16 hours ago
John Robinson posted a blog post

Risk Management in the Global Economy and outlook for 2017

Risk management in the global economy is a highly challenging field for risk managers from any part of the world. With most of the world’s countries almost becoming part of the global economy in this era of globalization; it is emerging that risks that apply to one part any one nation’s or group of…See More
18 hours ago
Training Doyens posted an event
Thumbnail

Hot Issues in Multi-State & Internet Sales Tax at 26468 E Walker Dr, Aurora, Colorado 80016-6104

March 13, 2018 from 1pm to 2pm
OVERVIEWStates are tense. They need more revenue.Millions of dollars of internet sales occur daily without tax.  The states want their money. In just 90 minutes, learn the different ways your company triggers nexus on itself and what it must do to comply with state regulations.WHY SHOULD YOU ATTENDWill I owe taxes in more than one state for the same sale? Must I charge tax on my internet sales?  Why is my drop shipper charging me tax?  Why did I receive a NEXUS Questionnaire and what if I don’t…See More
18 hours ago

Forum

Occupational Health and Safety 7 Replies

Health and safety are important aspects of an organisation’s smooth and effective functioning.  Did you know that workplace health & safety injuries cost Australian businesses over $60 billion…Continue

Tags: Safety, and, Health, Occupational

Started by WHS Solutions. Last reply by Tony Ferraro yesterday.

About sailpoint software

An identity management system refers to an information system, or to a set of technologies that can be used for enterprise or cross-network identity management. Additional terms are used synonymously…Continue

Tags: sailpoint

Started by sujathayarlagadda on Friday.

What can be essentials safety measures taken to secure campus?

Students safety inside and outside the school premises is a huge concern in today's risk environment. what measures should be taken to ensure campus security?Continue

Tags: security, campus

Started by Jen McDade Feb 6.

What can be essentials safety measures taken to secure campus?

Students safety inside and outside the school premises is a huge concern in today's risk environment. what measures should be taken to ensure campus security?Continue

Tags: security, campus

Started by Jen McDade Feb 6.

What are the advantages of IoT in healthcare Industry?

No DescriptionContinue

Tags: Aware360, IoTin

Started by Jen McDade Feb 5.

Badge

Loading…

© 2018   Created by Safety Community.   Powered by

Badges  |  Report an Issue  |  Terms of Service