To keep our pulse on the HIPAA industry, we subscribe to the U.S. Department of Health and Human Services' HIPAA Security Rule Distribution List. This past week we've seen a lot of activity on the list, so I'm sharing some of it via this post. The reasons behind its surge in activity of course, are the WannaCry ransomware attacks.
SEE RELATED: 3 Key Lessons Learned From WannaCry Ransomware Cyberattacks
As outlined in its online ransomware fact sheet, HHS presumes a breach in the case of a ransomware attack. The entity must determine whether such a breach is a reportable breach no later than 60 days after the entity knew or should have known of the breach.
SEE RELATED: FACT SHEET: Ransomware and HIPAA [HHS]
Ransomware guidance also includes important information about ransomware and how compliance with the HIPAA Security Rule helps entities prepare for ransomware attacks. This includes regard to contingency planning. OCR has shared its FAQ on sharing of cyber threat indicators here.
Important Note: If the data is not encrypted by the entity to at least NIST specifications when the ransomware attack is deployed, then OCR presumes a breach occurred, due to the ransomware attack. As such, the Covered Entity or Business Associate would need to prove that the ePHI was encrypted when the attack occurred and the ransomware containerized (or encrypted again) already-encrypted ePHI.
SEE ALSO: HIPAA Breach Notification Rule