Med Cyber Security Comments on Recent Health and Human Services Ruling on Ransomware Attacks and Healthcare Organizations.

Share Article

Overnight, all healthcare ransomware attacks must be digitally investigated to determine the probability of compromise, which in turn dictates what and if there are any reporting requirements. The significance of this can’t be overstated.

Healthcare Ransomware Attacks Are Reportable Data Breaches

It was hardly noticed that, on July 11, 2016, the HHS Office of Civil Rights (OCR) issued guidance on HIPAA covered organizations’ duties in a ransomware attack. This guidance has profound implications for healthcare organizations, which includes covered entities (hospitals, insurance companies, clinics, labs, solo and group practitioners, etc.) and business associates (billing, accounting, data analysis, quality assurance, benefit management, practice management, legal, etc.) in the U.S. Ransomware attacks on a healthcare organization’s computer system is now a reportable security incident unless it can be determined that there is a low probability of compromise.

What This Means to Healthcare Organizations

Med Cyber Security, founder and CEO Rob Campbell, says, “Overnight, all healthcare ransomware attacks must be digitally investigated to determine the probability of compromise, which in turn dictates what and if there are any reporting requirements. The significance of this can’t be overstated.

If it is determined that there is a good chance of disclosure, destruction or unauthorized access to Protected Health Information (PHI), then the healthcare organization must report the security data breach on its web site, to the state attorney general’s office, to law enforcement, the HHS and notify affected patients and offer credit monitoring.
In every case of a ransomware attack, digital forensics must be conducted and the supporting documentation must be maintained as evidence of compliance for state and federal authorities."

This forensic analysis is intended to mitigate the spread of ransomware, remove it, and remediate the security weakness that allowed the attack. The results of these activities will be used to determine if you must notify the patients or clients, the state attorney general, local news media, post the incident on your website and the HHS as a result of the incident.”
Healthcare organizations who have large patient or client databases can incur staggering cost associated with breach notification and credit monitoring.

Med Cyber Security provides cyber security and HIPAA compliance consultant services throughout the U.S. for healthcare organizations. The company is known for specialized services too small to medium businesses. The company’s website http://www.medcybersecurity.com contains additional information.

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Rob Campbell
Visit website