The Office for Civil Rights (OCR) at the US Department of Health and Human Services (HHS) has released a new video about ransomware aimed at raising awareness and educating organizations covered under the Health Insurance Portability and Accountability Act (HIPAA) rules. This video outlines how compliance with the HIPAA Security Rule can help these organizations combat ransomware effectively.
In addition, the video updates the healthcare sector on the latest ransomware trends observed by OCR in its cybersecurity investigations. It includes OCR guidance and resources, best practices, and practical advice on how HIPAA compliance can assist regulated entities in preventing, detecting, responding to, and recovering from ransomware attacks. Topics covered include:
- OCR breach and ransomware trend analysis
- Review of prior OCR ransomware guidance and materials
- Analysis of the ransomware attack chain
- Explore how Security Rule compliance can combat ransomware
The video presentation can be found on OCR’s YouTube channel here.
Compliance Perspective
Issue
Every year OCR receives large breach reports from covered entities (health plans, healthcare clearinghouses, and most healthcare providers) or their business associates. These reports detail breaches of unsecured protected health information (PHI) affecting 500 or more individuals. From 2019 to 2023, large breach reports involving hacking have increased by 89 percent, while those involving ransomware have surged by 102 percent. Additionally, the number of individuals affected annually by these large breaches has risen by 262 percent. These trends are expected to continue into the foreseeable future. The healthcare sector must increase its efforts to protect electronic health records from cyber attackers and thieves.
Discussion Points
- Regularly review policies and procedures related to HIPAA, PHI, the Privacy and Security rules, and data integrity. Ensure they address measures to prevent security breaches by unauthorized individuals and to guard against and detect malicious software. Update these policies as new information becomes available.
- Train staff involved in the use and maintenance of the organization’s computer information systems on the HIPAA Security Rule, including requirements for conducting risk assessments. Provide training on HIPAA, PHI, and the Privacy and Security rules, emphasizing how to avoid phishing schemes, malware exposures, and unauthorized release of PHI. Additionally, instruct staff on how to detect and report malicious software. Offer further training at least annually and whenever new threats and security information arise. Document all training sessions and keep signed training records in each employee’s education file.
- Conduct periodic audits to ensure staff adherence to data integrity security measures and compliance with the facility’s policies and procedures related to HIPAA, PHI, and the Privacy and Security rules. Additionally, audit to ensure ongoing risk assessments are being conducted.
*This news alert has been prepared by Med-Net Concepts, Inc. for informational purposes only and is not intended to provide legal advice.*
