Government HIPAA guidance addresses ransomware

July 20, 2016

The U.S. Department of Human Services has released new guidance for health care organizations that focuses on the growing threat of ransomware, stresses the need for better education and regular backups, and confirms that a ransomware attack against plain-text health information is, in fact, a breach that must be disclosed.

The guidance recommends that organizations identify the risks facing their patient information, create a plan to address those links, set up procedures to protect systems from malware, train users to spot malware, limit access to sensitive information to just the people who need it most, and have a disaster recovery plan that includes frequent data backups.

Ransomware typically gets onto a system through malicious email attachments or links to malicious websites, both of which can be addressed to some degree with employee education.

Understaffed IT departments, however, often err on the side of too much access to appease users and lighten workloads and this can cause issues. Limiting the access rights of individual users means that if those users get infected, there's less data that the malware can get to.

The new guidance is a summary of industry best practices, which organizations should already have been doing.

In addition to providing recommendations for organizations to help them defend against ransomware, the new guidance also clarifies that a ransomware attack does, in fact, count as a breach because "unauthorized individuals have taken possession or control of the information."

"When electronic protected health information is encrypted as the result of a ransomware attack, a breach has occurred," the HHS guidance said.

Employee education, secure and robust backups, and widespread network security are all important aspects to protect against randsomware and a data breach of PHI.


Source: CSO Online (

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form