It’s All About Risk Management! OCR Release Guidance on Ransomware – “Your Money or Your PHI”

2
799
It’s All About Risk Management! OCR Release Guidance on Ransomware – “Your Money or Your PHI”Rich CurtissBy Richard Curtiss, ITIL CISSP Principal Consultant, Clearwater Compliance
Rich.Curtiss@Clearwatercompliance.com

The Office for Civil Rights (“OCR”) released guidance on July 11, 2016 regarding ransomware and HIPAA. This guidance outlines activities supported by HIPAA that will assist Covered Entities and Business Associated in either preventing or quickly responding to ransomware attacks. To illustrate, the guidance calls for:

  • Implementing a security management process, including conducting a risk analysis and mitigating identified risks;
  • Implementing processes and technology to guard against and detect malicious software;
  • Training users on malicious software protection and reporting of malicious software detections with specific emphasis on ransomware;
  • Implementing controls to limit access to ePHI; and
  • Maintaining an overall contingency plan.

The OCR advice identifies how ransomware attacks can be analyzed to assess breach notification requirements under HIPAA. It is critical to understand that OCR expects covered entities and business associates to report ransomware attacks as a breach.  The only condition for not reporting is if the organization can show, through a documented breach risk assessment, that there is a low probability that the protected health information was compromised.

According to Jennifer Rathburn and Rachel Bryers at Quarles and Brady, LLP, included with this guidance was a letter from Sylvia Burwell, Secretary of the U.S. Department of Health and Human Services, addressed to health care company CEOs. This letter, dated June 20, 2016, highlights the increasing threat of ransomware, and emphasizes key points about ransomware that CEOs should share with senior leadership. One of the main points noted in the letter and its attached inter-agency guidance is the significance of cybersecurity preventive measures to help protect against these ransomware attacks. The letter also outlines appropriate steps that can be taken by an organization in response to a ransomware attack, including considerations when determining whether to pay the demanded ransom.

These documents emphasize the importance OCR is placing on ransomware attacks, and that organizations are expected to implement top-down organization support, comprehensive policies and procedures, appropriate technologies and contingency plans to prevent, detect, respond to, and remediate these attacks.

The guidance can be found at: http://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf.

[clickToTweet tweet=”It’s All About Risk Management! OCR Release Guidance on Ransomware – Your Money or Your PHI” quote=”It’s All About Risk Management! OCR Release Guidance on Ransomware – Your Money or Your PHI” theme=”style3″]

2 COMMENTS

  1. Glad to see this was posted because I have lost count of how many times I have read on blogs or heard on webs that a ransomware attack = a breach.

    Actually, a better summary of the guidance by these same folks would be ransomware attack = presumed breach.

    Then…as we do with any presumed breach, the notification requirements are triggered unless a risk assessment identifies LoProCo.

  2. Forgot to mention that I also appreciate how the guidance describes which of the four “impermissibles” is the basis for determining this is a breach. In this case the impermissible identified in the guidance is “disclosure”.

Comments are closed.