Ransomware attacks increased during the pandemic as healthcare organizations were overloaded with additional patients and further stressed by employees working remotely. Cyberattacks have become such an issue that the U.S. government has established a new task force to combat ransomware attacks. Healthcare organizations need to protect patients' protected health information (PHI) from unauthorized parties. Following HIPAA can help covered entities and business associates protect and recover their sensitive data. Let's review what the U.S. Department of Health and Human Services (HHS) recommends in its fact sheet on ransomware and HIPAA to keep data protected.
Ransomware is a type of malicious software that is specifically designed to encrypt data to prevent authorized employees from accessing it. Usually a cybercriminal will demand a ransom in exchange for a decryption key. Hackers may also threaten to delete or transfer data if they do not receive the ransom.
Yes. Some security measures required by HIPAA include:
HIPAA requirements establish the bare minimum of protecting PHI. In its checklist, HHS encourages entities to "implement additional and/or more stringent security measures above what they determine to be required by Security Rule standards."
Yes. HIPAA requires you to have procedures in place to aid the recovery process after a ransomware attack. It specifically requires entities to implement a data backup plan, which is usually part of an entity's business continuity plan . Other parts of this plan include disaster recovery, emergency operations, and periodic penetration testing.
There are essentially two ways to detect if your computer system has ransomware. The first way is having robust security measures that alert you when your network has a problem. The second way is for your employees to detect problems that indicate a ransomware attack has penetrated your network. The HHS fact sheet shares some of the common indicators that a ransomware attack is underway:
Email is a common threat vector for cyberattacks. If an employee notices that they were sent an email that had malicious links or file attachments, they should report it to your IT team.
If you believe that a ransomware attack has been released into your system, implement your entity's security response plan. The HHS recommends that the initial steps include determining:
This initial analysis will help you determine the next steps to contain and recover from the ransomware attack. Upon further inspection, you should determine if PHI was breached and if the security incident needs to be reported to the HHS.
HIPAA concerns itself with protecting PHI. A ransomware attack on a covered entity's computer system is usually considered a HIPAA breach because a breach of PHI is presumed. Unless a covered entity can prove that there is a "low probability that the PHI has been compromised," then it will need to follow the breach notification rules. This includes notifying affected individuals, HHS, and possibly the media. SEE ALSO: What to do after you violate HIPAA To learn more about what HHS recommends during various ransomware scenarios, read its full brief by clicking here .
Prevention and preparation are the best ways to stop ransomware attacks. It's worth the investment to avoid the headache of recovering from ransomware and dealing with law enforcement. Taking a proactive with Paubox Email Suite Plus, the best solution for HIPAA compliant email. It allows you to send encrypted emails directly to your patient's inbox, no portals or passwords required. It doesn't interrupt your employees' workflow because it seamlessly integrates with popular email platforms like Google Workspace and Microsoft 365.
SEE ALSO: Why email is better than patient portals
Paubox Email Suite Plus also prevents malicious emails from entering your system. It includes robust inbound security tools to block threats like display name spoofing attacks and phishing emails. Our latest feature is Zero Trust Email, which adds an extra layer of authentication to ensure emails come from trusted sources. Paubox is HITRUST CSF certified and a business associate agreement (BAA) is included in all plans. You can rest assured that we're dedicated to following HIPAA guidelines and keeping your emails secure.