Healthcare News & Insights

Feds offer guidance about ransomware

As ransomware attacks started becoming a bigger threat to hospitals, the feds largely remained silent on the specific steps facilities should take to keep patients’ protected health information (PHI) safe. Now, the U.S. Department of Health & Human Services (HHS) has finally issued clear guidance about ransomware for healthcare providers. 

GettyImages-477695632Currently, cybercriminals are growing more interested in hacking medical records to get unauthorized access to patients’ PHI.

They’ll either sell the information on the black market (as evidenced by a recent scandal where a hacker advertised the sale of millions of medical records online) or they’ll hold it hostage in exchange for a ransom payment.

The new HHS guidance gives hospitals a framework for dealing with these attacks.

Prevention procedures

The first step is to consider the facility’s general performance with HIPAA compliance, since various security measures required by HIPAA can protect against ransomware attacks and keep patients’ PHI secure from hackers.

Per the guidance, hospitals should take ransomware into account when conducting their mandated HIPAA risk analysis to identify potential threats to patients’ PHI.

Security measures should be put in place specifically to address any risks uncovered during the analysis, and hospitals should have general procedures in place to protect patients’ data from ransomware programs and other malicious software (such as up-to-date virus software).

All staff who use hospital computers or email should be specifically trained on recognizing and avoiding malware – particularly when clicking on links, opening file attachments or visiting websites.

Staff members should also be encouraged to report any issues they encounter ASAP so the threat can be contained immediately. Problems that may indicate a ransomware attack has occurred include an unexplained increase in computer and disk activity, and issues with accessing files.

Hospitals should also exercise caution regarding who should have access to patients’ PHI in electronic health records (EHR) systems. Permissions should be limited on users’ accounts so they can only review the information that’s necessary for their role. Not only does this make it harder for hackers to break into a hospital network, it also protects facilities against HIPAA violations caused by staff themselves.

Managing attacks

Having a specific action plan in place is essential for hospitals that fall victim to ransomware attacks. Facilities must have a data backup plan in place for any emergency, according to HIPAA guidelines, and ransomware is no different.

To minimize the impact on daily operations should a ransomware attack occur, data should be securely backed up on a regular basis. Because ransomware can still infect data that’s backed up online, HHS recommends that hospitals maintain backups offline away from their networks.

The HHS guidance also lists the steps hospitals should take if they fall victim to a ransomware attack:

  • Conduct an initial analysis of the ransomware attack, including the type of software (if known) and its scope.
  • Contain the impact of the attack immediately.
  • Remove ransomware from infected networks and machines, and shore up the weak spots that caused the ransomware attack.
  • Restore the data lost during the ransomware attack and return to normal operations.
  • Conduct a “post-incident” analysis, which includes reviewing the attack to see if the hospital must report a data breach and incorporating any lessons learned into future security efforts.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.