For some insurance agencies, benefit plan administration firms and law firms, ransomware infections could lead to trouble with federal regulators as well as demands for cash from the ransomware issuers.
Officials at the Office for Civil Rights, part of the U.S. Department of Health and Human Services, talk about ransomware compliance issues in a new batch of “guidance,” or semiformal advice.
Organizations that hold people’s health information should take HHS data defense requirements and incident response planning requirements seriously, and they should be ready for ransomware attacks before the attacks start, officials say in the guidance.
If an organization notices that it’s being attacked, it “must initiate its security incident and response and reporting procedures,” officials say.
The civil rights office uses a four-factor process to decide whether the risk that an incident has breached health data is high. Some common health data protection strategies, such as encrypting the data, may not do much to protect the data against ransomware, officials say.
If, for example, all that’s protecting health information on a ransomware-infected laptop is full disk encryption, “a breach is presumed,” officials say.
The Health Insurance Portability and Accountability Act of 1996 requires a company affected by a breach to notify the HHS secretary, and to warn the people whose records were breached “without unreasonable delay.”
If a breach affects more than 500 people, the affected company must alert the media.
Related: Lawyer on HIPAA Phase 2 audits: Take the rules seriously