For some insurance agencies, benefit plan administration firms and law firms, ransomware infections could lead to trouble with federal regulators as well as demands for cash from the ransomware issuers.

Officials at the Office for Civil Rights, part of the U.S. Department of Health and Human Services, talk about ransomware compliance issues in a new batch of “guidance,” or semiformal advice.

Organizations that hold people’s health information should take HHS data defense requirements and incident response planning requirements seriously, and they should be ready for ransomware attacks before the attacks start, officials say in the guidance.

If an organization notices that it’s being attacked, it “must initiate its security incident and response and reporting procedures,” officials say.

The civil rights office uses a four-factor process to decide whether the risk that an incident has breached health data is high. Some common health data protection strategies, such as encrypting the data, may not do much to protect the data against ransomware, officials say.

If, for example, all that’s protecting health information on a ransomware-infected laptop is full disk encryption, “a breach is presumed,” officials say.

The Health Insurance Portability and Accountability Act of 1996 requires a company affected by a breach to notify the HHS secretary, and to warn the people whose records were breached “without unreasonable delay.” 

If a breach affects more than 500 people, the affected company must alert the media.

Related: Lawyer on HIPAA Phase 2 audits: Take the rules seriously

Civil rights office officials aimed the new advice at companies and nonprofit organizations that have to comply with the HIPAA Security Rule.

The civil rights office developed the HIPAA Security Rule to set standards for protecting people’s health information from hackers, stalkers and others who have no right to see the information. Regulators classify hospitals and health insurers as “covered entities” for purposes of health data security. Regulators apply similar rules to the covered entities’ business associates.

The list of business associates includes health insurance agents and brokers, many health plan administrators, and some agents who sell medically underwritten products other than major medical insurance.

In some cases, federal regulators may classify law firms that advise insurers, hospitals or other HIPAA covered entities as business associates.

Related:

Cellphone loss leads to $650,000 HIPAA settlement

What every independent agent needs to know about cybersecurity

Have you followed us on Facebook?