Earlier this year, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued guidance indicating that, under most circumstances, a ransomware attack constitutes a reportable HIPAA breach. During a ransomware attack, protected electronic health information (ePHI) is considered breached because an unauthorized individual has control of the information. In their ransomware fact sheet, HHS noted that there have been 4,000 daily ransomware attacks reported since early 2016—an increase of 300 percent from 2015.
This Thursday, October 27, Delta Risk VP of Security Operations, Chris Hendricks, along with Garrett Gross, Director of Field Enablement for AlienVault, will offer an educational webinar on the recently issued guidance, entitled “What You Need to Know About Ransomware and HIPAA Compliance.”
In the webinar, Chris and Garrett will discuss:
- Why threat actors are targeting healthcare;
- What the new OCR guidance means for healthcare providers;
- How to recognize and respond to a ransomware attack; and
- How to prepare your organization to reduce ransomware risks.
Increasingly, healthcare organizations and other HIPAA-covered entities have become the focus of ransomware attacks because they harbor valuable information. Many health care providers and their business associates have publicly admitted to being victims of ransomware attacks in 2016. In each instance, the extent of the infection varied with servers, phone systems and even back-up systems affected.
Some victims reported that they paid the ransom. In fact, one victim paid a ransom only to have the attacker ask for a second ransom. Other victims were able to isolate the malware and restore their systems with back-ups files. However, during these attacks, one clinic indicated they had to switch to manual processing, while another location reported that they had to turn patients away.
The HHS OCR guidance indicates that ransomware allows an outside actor access to ePHI, and is therefore a reportable breach. However, if there are circumstances where covered entities and business associates can demonstrate a low probability that ePHI has been compromised, they do not need to report an attack, especially if the accessed information is encrypted. Further, the guidance offers advice on recognizing and avoiding ransomware attacks.
Register now for “What you Need to Know About Ransomware and HIPAA Compliance.”