The threat of ransomware is hitting every sector of the economy. But the biggest, most dangerous and disastrous attacks have been occurring in the more lightly defended parts of industry and government. Healthcare has been especially hard hit.
The U.S. Department of Health and Human Services (HHS) is seeking to change this situation by issuing new guidance. Preventing ransomware is now more clearly expected for HIPPA compliance.
From a HHS blog post:
To help health care entities better understand and respond to the threat of ransomware, the HHS Office for Civil Rights has released new Health Insurance Portability and Accountability Act (HIPAA) guidance on ransomware. The new guidance reinforces activities required by HIPAA that can help organizations prevent, detect, contain, and respond to threats, including:
- Conducting a risk analysis to identify threats and vulnerabilities to electronic protected health information (ePHI) and establishing a plan to mitigate or remediate those identified risks;
- Implementing procedures to safeguard against malicious software;
- Training authorized users on detecting malicious software and report such detections;
- Limiting access to ePHI to only those persons or software programs requiring access; and
- Maintaining an overall contingency plan that includes disaster recovery, emergency operations, frequent data backups, and test restorations.
More details are provided in a PDF sheet on the HHS website: