OCR’s HIPAA guidance on ransomware puts pressure on providers

Covered entities, business associates now are required to develop and implement malware security.


With the healthcare industry increasingly coming under attack from ransomware gambits, the Department of Health and Human Services’ Office for Civil Rights has released new HIPAA guidance on the risks of being victimized by file-encrypting malware.

The OCR’s guidance underscores the serious nature of ransomware and providers’ responsibility in preventing and recovering from such attacks.

“This document describes ransomware attack prevention and recovery from a healthcare sector perspective, including the role the Health Insurance Portability and Accountability Act has in assisting HIPAA covered entities and business associates to prevent and recover from ransomware attacks, and how HIPAA breach notification processes should be managed in response to a ransomware attack,” states OCR.



The guidance re-emphasizes activities already required by HIPAA to help organizations prevent, detect, contain, and respond to such threats, including:

* Conducting a risk analysis to identify threats and vulnerabilities to electronic protected health information (ePHI) and establishing a plan to mitigate or remediate those identified risks;

* Implementing procedures to safeguard against malicious software;

* Training authorized users on detecting malicious software and report such detections;

* Limiting access to ePHI to only those persons or software programs requiring access; and

* Maintaining an overall contingency plan that includes disaster recovery, emergency operations, frequent data backups, and test restorations.

“One of the biggest current threats to health information privacy is the serious compromise of the integrity and availability of data caused by malicious cyber-attacks on electronic health information systems, such as through ransomware,” writes OCR Director Jocelyn Samuels in a July 11 blog. “The FBI has reported an increase in ransomware attacks and media have reported a number of ransomware attacks on hospitals.”

According to Samuels, healthcare organizations must take steps to safeguard their data from ransomware attacks. “HIPAA covered entities and business associates are required to develop and implement security incident procedures and response and reporting processes that are reasonable and appropriate to respond to malware and other security incidents,” she said.

Avi Rubin, director of the Health and Medical Security Lab at Johns Hopkins University, contends that ransomware is another cybersecurity tactic adopted by hackers to gain access to healthcare systems and hold the information hostage through encryption.

“These are all standard security measures that organizations should be employing anyway,” says Rubin. “If there is any silver lining on the proliferation of ransomware, it is that it’s serving as a wake-up call to the industry and getting people to actually implement security measures that are critical to protecting information and systems in today’s world.”

While Chris Ensey, COO of Dunbar Security Solutions, praised the OCR guidance for finally clearing up several common misconceptions regarding ransomware for HIPAA-regulated sectors, he argues that some parts of the guidance are unfortunately less prescriptive.

“The one area that is going to be a challenge for most organizations is the post-incident analysis,” says Ensey. “Very few healthcare organizations have access to malware analysis tools and expertise required to do deep forensic review.”

Similarly, Gary McGraw, CTO of Cigital, believes that OCR’s guidance provides common sense best practices for data protection, but doesn’t go far enough.

“The new ransomware guidance associated with HIPAA emphasizes classic security hygiene. That is a good thing, generally speaking,” says McGraw. “Many of the activities called out in the guidance can take place during development, when systems are being designed and implemented. For example, performing a risk analysis early in development is always more efficient and economical than performing a risk analysis on an already fielded system. That said, the problem with HIPAA as it stands today is that it tends to place too much emphasis on patient data, leaving not enough room for other things like medical device security.” 

The new HIPAA guidance can be found here.

More for you

Loading data for hdm_tax_topic #care-team-experience...