The Importance of Maintaining HIPAA Security

The HIPAA law was enacted in order to protect patients and their health care information. Through the HIPAA law patients are granted the right to view and obtain copies of their health care records, request corrections to be made regarding health information, and ensure confidence that health care information will not be shared with unauthorized parties for any reason without the permission of the patient. Honoring the HIPAA law maintains privacy and confidentiality of the patient, and failing to maintain HIPAA security is punishable by law.

Ransomware Attacks on the Rise

Technological advancements have allowed the healthcare industry to store health records online, and although convenient and energy efficient, the online storage of confidential health records establishes a predisposition to ransomware attacks. Ransomware, a type of malicious software used by hackers, is designed to encrypt and deny access to the data stored on the entities servers – only releasing the data via decryption key after a cryptocurrency ransom is paid.

Often the data is exported or destroyed and never recovered by the ransomware’s victim. Despite attempts by professionals to avoid the compromise of patients’ health records, ransomware attacks are becoming increasingly more prevalent, especially in the healthcare industry . One way to be protected is to make sure you have an active back-up plan and regularly test them so that you are prepared if ransomware strikes your business. You should avoid paying anyone holding access to your data.

When Ransomware Strikes – Course of Action

Although the HIPAA Security Rule requires professionals storing sensitive patient information on their servers and network is to utilize specific security measures to avoid ransomware attacks and the potential breech of patient confidentiality, attacks do still occur. In the event that ransomware breeches your security measures as required by the HIPAA security rule, it may be necessary to enact your business incidence response plan and employ your business continuity plan while the issues are being reviewed and with some luck, resolved. It will also require you to disclose your breach by notifying affected parties. Ensuring that you have a plan that you’re confident in in the event that a ransomware attack happens will allow your business to quickly resume its activities while your ransomware breech is being investigated.

How to Best Protect Your Business

Conducting a risk assessment is recommended to ensure that your information and that of your patients’ information remains safe and compliant with the laws of HIPAA. Risk assessments can evaluate the likelihood that an attack will or has infiltrated the system’ compromising the personal health information of patients. Further, a risk assessment can predict whether or not there is a likelihood that ransomware may attack again in the future.

When investigating a ransomware attack, it is important to uncover what insufficiencies allowed the malicious software to infiltrate the system – doing so can help provide insight into what facets of the system need strengthened to avoid another security breech. In some cases, risk analysis can reveal information such as identifying the unauthorized user of personal health information and which personal health information has been compromised so that appropriate actions can be taken to notify and protect the individuals whose information and privacy has been neglected.

At the end of the day, the most important piece of advice to protect your clients is this: be aware and prepare for the possibility of an attack – it can be the difference between the deterioration of your business or the quick reassuming of day-to-day business as usual.

References:

https://www.hhs.gov/hipaa/

https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf