The global cyberattack that locked providers out of patient records and forced affected hospitals to divert urgent care patients provides an important reminder for facilities to check up on their cyber security systems. The recent threat exploits a flaw in Microsoft’s Windows operating system to propagate a strain of ransomware that encrypts victims’ computer systems and locks users out of critical data until they pay a ransom fee.
Ransomware attacks are reportable as HIPPA breaches. The American Hospital Association (AHA) has held several conference calls to answer questions and facilitate conversations with the Department of Health and Human Services (HHS) to assist health care providers.
Here are some key websites for answers to questions:
- OCR ransomware guidance: ransomware attacks are reportable breaches. https://www.hipaajournal.com/ocr-ransomware-guidance-issued-3500/
- HHS OCR Issues Guidance on Ransomware Attacks and HIPPA Breaches. https://www.healthcare-informatics.com/news-item/cybersecurity/hhs-issues-guidance-ransomware-attacks-and-hipaa-breaches
- Fact Sheet: Ransomware and HIPPA https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf
Note: If a facility becomes aware of a HIPPA Breach the notification rule will be tolled for 60 days if the entity notifies law enforcement
Victims of ransomware should contact their FBI Field Officer Cyber Task Force. The latest Microsoft security information is available by visiting the Microsoft Update Catalog for the latest security updates. Click on https://www.catalog.update.microsoft.com/Home.aspx.