HIPAA’s guidelines on preventing, preparing, responding and recovering ransomware

Malicious software that infects susceptible computers’ operating systems; ransomware works by blocking access to files. It is only after the ransom demanded by the attackers is paid that the legitimate user can regain access to files on a computer system. Ransomware also works by blocking user access to the device itself. Posing as seemingly harmless mails; ransomware gains entry into systems by asking unsuspecting users to do such completely mundane tasks as opening certain attachments. This simple action is all that it takes to release the ransomware.

HIPAA guidelines on ransomware

With the recent WannaCry ransomware attack across Europe and other parts of the world; healthcare providers in the US are understandably jittery that they could be the target of the next ransomware attack, a suspicion that has gained credence because of the fact that this ransomware attack primarily targeted healthcare records of the National Health Service in the UK. This fear has only added a new dimension to the fact that healthcare records have always been a target for malicious software: In 2015, there were 250 separate incidents, resulting in breach of as many as 112 million medical records.

HIPAA-suggested measures

HIPAA has suggested a few strong security measures to prevent and counter these attacks. These are a few of the steps the HIPAA Security Rule requires Business Associates and Covered Entities to do to counter ransomware attacks:

• Users, inclusive of both staff and the patients, need to be trained to spot malware
• A Risk Analysis needs to be carried out for identifying the threats, as part of a security management process and measures to mitigate risks need to be taken
• The nature and gravity of the problem has to be discussed with patients and they need to be educated on how to prevent attacks
• Access to records and the sensitive information contained in them needs to be limited
• Data backups need to be put in place
• A disaster recovery plan is to be conceived and implemented
• Security incident responses need to be reported and implemented as part of 45 CFR 164.308 (a) (6)

Difficult to assess the effectiveness of these measures

While it is true that the HHS has been very diligent in this matter; it is up against a wall when it comes to implementation of HIPAA rules on ransomware. In many instances, the PHI itself never gets accessed, making it difficult to term the action as a breach of data security. HIPAA rules clearly state that reporting has to be done in only cases involving a breach. In effect, for every PHI data breach that gets reported, many more don’t.

Full understanding of how to deal with ransomware

At a webinar that is being organized by MentorHealth, a leading provider of professional trainings for the healthcare industry; Paul Hales, an expert on HIPAA Privacy, Security, Breach notification and Enforcement Rules with a national HIPAA consulting practice based in St. Louis, will complete explanation of the ways by which to put these measures as required by HIPAA. To enroll for this webinar, please visit

Paul will explain ransomware, the HIPAA rules pertaining to ransomware, “social engineering” tricks used by hackers to infuse ransomware into systems, what an organization needs to do when it is subjected to a ransomware attack, and best practices to prevent, prepare, respond and recover from attacks.

Other important aspects of this topic that will be taken up include:

• How to do a HIPAA Breach Risk Assessment to determine if a Ransomware attack resulted in a HIPAA Breach - or not - if the assessment demonstrates a low probability of compromise to PHI
• What the HIPAA Breach Notification Rule requires when a Ransomware attack does result in a Breach of Unsecured PHI
• The interconnected roles and responsibilities of Covered Entities and Business Associates under the HIPAA Breach Notification Rule concerning Ransomware attacks