[ Tuesday, February 16, 2016 ]
Jeff [2:11 PM]
Maintaining a safe and secure data environment is a requirement of the Security Rule, and includes protection against malicious software, security incident response and reporting, data backup, disaster recovery and emergency mode operation. All of these can be implicated if a healthcare entity finds itself subject to a ransomware demand. These occur when a hacker gains access to computer systems, downloads malware that encrypts datebases, and requires the victim to pay ransom to get the decryption key. Without the decryption key, the data is entirely useless. Usually, the decryption key is put somewhere where it will be destroyed after a short period of time (a few hours or days), leaving the victim with no time to try to fix the problem other than paying the ransom: if the decryption key is deleted, it is virtually impossible to unscramble the data. Even if there is no "breach" because the data is never exported, falling victim could be an indication of a HIPAA failure (mainly, failure to have sufficient safeguards), not to mention a potentially fatal blow to your business.
This is a real situation at Hollywood Presbyterian Medical Center in California
. The ransom demand was $3.6 Million.
Understanding the threat of a ransomware hack must be a part of your risk analysis, and you must plan for how to react to such an occurrence. Good perimeter testing, patch management, management of internet-facing computing assets, virus and malware protection, training to prevent phishing attacks from being successful, and of course good (and well-protected) backups will help, too.
Blogger: HIPAA Blog - Edit your Template