{"id":1348,"date":"2016-08-01T08:40:56","date_gmt":"2016-08-01T12:40:56","guid":{"rendered":"https:\/\/tsisupport.com\/?p=1348"},"modified":"2021-07-07T05:14:41","modified_gmt":"2021-07-07T09:14:41","slug":"new-hipaa-guidelines-on-ransomware-disclosures","status":"publish","type":"post","link":"https:\/\/tsisupport.com\/tsistaging\/?p=1348","title":{"rendered":"Data Security: New HIPAA Policies & Procedure on Ransomware Disclosures"},"content":{"rendered":"

The Department of Health & Human Services for Civil Rights (OCR) has issued guidance on how to manage the increasing frequency of ransomware attacks toward healthcare providers.\u00a0 Ransomware is a malware which encrypts data until a ransom is paid to the hacker, who in return, will hopefully<\/em> issue the encryption key to unlock the data on your machines.\u00a0 It is a very real threat for any provider who has electronic health record systems.\u00a0 However, these guidelines are somewhat vague on what is or isn\u2019t considered a data breach.\u00a0 It is why we decided to provide some clarity on the latest release.<\/p>\n

Background:\u00a0<\/strong><\/span>A\u00a0recent U.S. government interagency report has indicated that there have been, on average, over 4,000 daily ransomware attacks since the New Year.\u00a0 A 300% increase over the 1,000 daily attacked reported the year before.\u00a0 It is why California Representative Ted Lieu submitted a bill that would require medical organizations to treat ransomware as data breaches, forcing those affected to be issued breach notifications from providers.<\/p>\n

Defining A Breach:\u00a0<\/strong><\/span>The document is very clear that any ransomware attack on a covered organization that successfully encrypts health data should be treated as a breach.\u00a0 However, the mere presence of ransomware does not necessarily mean Electronic Protected Health Information (ePHI) was compromised. This determination is left to the HIPAA Privacy Rules which define a breach as the acquisition, access, use, or disclosure of Protected Health Information (PHI) in a manner not permitted, that compromises the security or privacy of PHI.<\/p>\n

Basically, this means if ePHI becomes encrypted as a result of a ransomware attack, a breach has occurred because ePHI was compromised the moment an unauthorized person took possession or control of your data.\u00a0 In this scenario, you need to comply with the notification provisions, including notification to those affected, the Secretary of HHS, and the media (for those affecting over 500 individuals) without reasonable delay.<\/p>\n

However, if you can demonstrate that there was a low probability the PHI was compromised based on the Breach Notification Rule, no notices need to take place.\u00a0 This determination is done through a risk assessment that takes into account multiple factors; including the nature and extent of the PHI involved, types of identifiers and likelihood of re-identification, the unauthorized person who used the PHI or whom it was disclosed to, and whether the PHI was actually acquired or viewed, as well as the extent to which the risk to the PHI has been counteracted.<\/p>\n

Even PHI that is encrypted before an attack occurred can still be interpreted as a breach, unless the assessment determines that the encryption solution has rendered the PHI unreadable, unusable, and indecipherable to unauthorized persons.<\/p>\n

Takeaway: <\/strong><\/span>The\u00a0 most important takeaways from the document are to ensure prevention and safeguard of your data from ransomware attacks before they ever occur.\u00a0 All HIPAA covered organizations are required to develop and implement proper procedures to respond to malware and other security risks.\u00a0 This means incorporating processes to isolate infected machines and the prevention of an attack from spreading throughout your network.\u00a0 Frequent data backups and testing to ensure you have the ability to quickly recover from an attack is also paramount. For more information from one of our HIPAA experts, including risk assessment, maintenance, reporting, and compliance regulations, contact us<\/a> today!<\/p>\n

\n\t
\n\t\t\t\t\t\t\t\t
\n\t\t\n
\n\t\t\t
\n\t
\n\t
\n\t\t

\n\t\tConfident with Your IT Strategy?<\/span>\n\t<\/h2>\n\t<\/div>\n<\/div>\n
\n\t
\n\t\t
\n\t

If you found the information in this blog post helpful and you'd like to discuss your business' technology strategy, then we'd be happy to hear from you.<\/p>\n<\/div>\n\t<\/div>\n<\/div>\n

\n\t
\n\t\t
\n\t\t\t\n\t\t\t\t\t\t\tGet in touch with tsi<\/span>\n\t\t\t\t\t<\/a>\n<\/div>\n\t<\/div>\n<\/div>\n<\/div>\n<\/div>\n\t\t\t
\n\t
<\/div>\n<\/div>\n\t<\/div>\n\t\t<\/div>\n\t<\/div>\n<\/div>\n<\/div>
<\/div>\n","protected":false},"excerpt":{"rendered":"

The Department of Health & Human Services for Civil Rights (OCR) has issued guidance on how to manage the increasing frequency of ransomware attacks toward healthcare providers.\u00a0 Ransomware is a malware which encrypts data until a ransom is paid to the hacker, who in return, will hopefully issue the encryption key to unlock the data…<\/p>\n","protected":false},"author":2,"featured_media":8437,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":"","_links_to":"","_links_to_target":""},"categories":[7],"tags":[239,255,256,257,258,259,260,244],"acf":[],"yoast_head":"\nNew HIPAA Policies & Procedure on Ransomware Disclosures | TSI<\/title>\n<meta name=\"description\" content=\"Learn the major takeaways from the new HIPPA guidelines on ransomware disclosures to make sure you stay in compliance with the updated standards.\" \/>\n<meta name=\"robots\" content=\"noindex, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"New HIPAA Policies & Procedure on Ransomware Disclosures | TSI\" \/>\n<meta property=\"og:description\" content=\"Learn the major takeaways from the new HIPPA guidelines on ransomware disclosures to make sure you stay in compliance with the updated standards.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/tsisupport.com\/tsistaging\/?p=1348\" \/>\n<meta property=\"og:site_name\" content=\"TSI Support\" \/>\n<meta property=\"article:published_time\" content=\"2016-08-01T12:40:56+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-07-07T09:14:41+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/tsisupport.com\/tsistaging\/wp-content\/uploads\/2016\/08\/New-HIPAA-Guidelines-on-Ransomware-Disclosures-1140x380-1.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1140\" \/>\n\t<meta property=\"og:image:height\" content=\"380\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Roger Murray\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Roger Murray\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/tsisupport.com\/tsistaging\/?p=1348\",\"url\":\"https:\/\/tsisupport.com\/tsistaging\/?p=1348\",\"name\":\"New HIPAA Policies & Procedure on Ransomware Disclosures | TSI\",\"isPartOf\":{\"@id\":\"https:\/\/tsisupport.com\/tsistaging\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/tsisupport.com\/tsistaging\/?p=1348#primaryimage\"},\"image\":{\"@id\":\"https:\/\/tsisupport.com\/tsistaging\/?p=1348#primaryimage\"},\"thumbnailUrl\":\"https:\/\/tsisupport.com\/tsistaging\/wp-content\/uploads\/2016\/08\/New-HIPAA-Guidelines-on-Ransomware-Disclosures-1140x380-1.png\",\"datePublished\":\"2016-08-01T12:40:56+00:00\",\"dateModified\":\"2021-07-07T09:14:41+00:00\",\"author\":{\"@id\":\"https:\/\/tsisupport.com\/tsistaging\/#\/schema\/person\/5eed34ada00b62f24100bd841a4f62e9\"},\"description\":\"Learn the major takeaways from the new HIPPA guidelines on ransomware disclosures to make sure you stay in compliance with the updated standards.\",\"breadcrumb\":{\"@id\":\"https:\/\/tsisupport.com\/tsistaging\/?p=1348#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/tsisupport.com\/tsistaging\/?p=1348\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/tsisupport.com\/tsistaging\/?p=1348#primaryimage\",\"url\":\"https:\/\/tsisupport.com\/tsistaging\/wp-content\/uploads\/2016\/08\/New-HIPAA-Guidelines-on-Ransomware-Disclosures-1140x380-1.png\",\"contentUrl\":\"https:\/\/tsisupport.com\/tsistaging\/wp-content\/uploads\/2016\/08\/New-HIPAA-Guidelines-on-Ransomware-Disclosures-1140x380-1.png\",\"width\":1140,\"height\":380},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/tsisupport.com\/tsistaging\/?p=1348#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/tsisupport.com\/tsistaging\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Data Security: New HIPAA Policies & Procedure on Ransomware Disclosures\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/tsisupport.com\/tsistaging\/#website\",\"url\":\"https:\/\/tsisupport.com\/tsistaging\/\",\"name\":\"TSI Support\",\"description\":\"TSI - Technical Support International\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/tsisupport.com\/tsistaging\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/tsisupport.com\/tsistaging\/#\/schema\/person\/5eed34ada00b62f24100bd841a4f62e9\",\"name\":\"Roger Murray\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/tsisupport.com\/tsistaging\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/02eb44ce8ff599f733f8d322316f904d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/02eb44ce8ff599f733f8d322316f904d?s=96&d=mm&r=g\",\"caption\":\"Roger Murray\"},\"url\":\"https:\/\/tsisupport.com\/tsistaging\/?author=2\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"New HIPAA Policies & Procedure on Ransomware Disclosures | TSI","description":"Learn the major takeaways from the new HIPPA guidelines on ransomware disclosures to make sure you stay in compliance with the updated standards.","robots":{"index":"noindex","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"New HIPAA Policies & Procedure on Ransomware Disclosures | TSI","og_description":"Learn the major takeaways from the new HIPPA guidelines on ransomware disclosures to make sure you stay in compliance with the updated standards.","og_url":"https:\/\/tsisupport.com\/tsistaging\/?p=1348","og_site_name":"TSI Support","article_published_time":"2016-08-01T12:40:56+00:00","article_modified_time":"2021-07-07T09:14:41+00:00","og_image":[{"width":1140,"height":380,"url":"https:\/\/tsisupport.com\/tsistaging\/wp-content\/uploads\/2016\/08\/New-HIPAA-Guidelines-on-Ransomware-Disclosures-1140x380-1.png","type":"image\/png"}],"author":"Roger Murray","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Roger Murray","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/tsisupport.com\/tsistaging\/?p=1348","url":"https:\/\/tsisupport.com\/tsistaging\/?p=1348","name":"New HIPAA Policies & Procedure on Ransomware Disclosures | TSI","isPartOf":{"@id":"https:\/\/tsisupport.com\/tsistaging\/#website"},"primaryImageOfPage":{"@id":"https:\/\/tsisupport.com\/tsistaging\/?p=1348#primaryimage"},"image":{"@id":"https:\/\/tsisupport.com\/tsistaging\/?p=1348#primaryimage"},"thumbnailUrl":"https:\/\/tsisupport.com\/tsistaging\/wp-content\/uploads\/2016\/08\/New-HIPAA-Guidelines-on-Ransomware-Disclosures-1140x380-1.png","datePublished":"2016-08-01T12:40:56+00:00","dateModified":"2021-07-07T09:14:41+00:00","author":{"@id":"https:\/\/tsisupport.com\/tsistaging\/#\/schema\/person\/5eed34ada00b62f24100bd841a4f62e9"},"description":"Learn the major takeaways from the new HIPPA guidelines on ransomware disclosures to make sure you stay in compliance with the updated standards.","breadcrumb":{"@id":"https:\/\/tsisupport.com\/tsistaging\/?p=1348#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/tsisupport.com\/tsistaging\/?p=1348"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/tsisupport.com\/tsistaging\/?p=1348#primaryimage","url":"https:\/\/tsisupport.com\/tsistaging\/wp-content\/uploads\/2016\/08\/New-HIPAA-Guidelines-on-Ransomware-Disclosures-1140x380-1.png","contentUrl":"https:\/\/tsisupport.com\/tsistaging\/wp-content\/uploads\/2016\/08\/New-HIPAA-Guidelines-on-Ransomware-Disclosures-1140x380-1.png","width":1140,"height":380},{"@type":"BreadcrumbList","@id":"https:\/\/tsisupport.com\/tsistaging\/?p=1348#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/tsisupport.com\/tsistaging\/"},{"@type":"ListItem","position":2,"name":"Data Security: New HIPAA Policies & Procedure on Ransomware Disclosures"}]},{"@type":"WebSite","@id":"https:\/\/tsisupport.com\/tsistaging\/#website","url":"https:\/\/tsisupport.com\/tsistaging\/","name":"TSI Support","description":"TSI - Technical Support International","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/tsisupport.com\/tsistaging\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/tsisupport.com\/tsistaging\/#\/schema\/person\/5eed34ada00b62f24100bd841a4f62e9","name":"Roger Murray","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/tsisupport.com\/tsistaging\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/02eb44ce8ff599f733f8d322316f904d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/02eb44ce8ff599f733f8d322316f904d?s=96&d=mm&r=g","caption":"Roger Murray"},"url":"https:\/\/tsisupport.com\/tsistaging\/?author=2"}]}},"_links":{"self":[{"href":"https:\/\/tsisupport.com\/tsistaging\/index.php?rest_route=\/wp\/v2\/posts\/1348"}],"collection":[{"href":"https:\/\/tsisupport.com\/tsistaging\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tsisupport.com\/tsistaging\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tsisupport.com\/tsistaging\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/tsisupport.com\/tsistaging\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1348"}],"version-history":[{"count":0,"href":"https:\/\/tsisupport.com\/tsistaging\/index.php?rest_route=\/wp\/v2\/posts\/1348\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/tsisupport.com\/tsistaging\/index.php?rest_route=\/wp\/v2\/media\/8437"}],"wp:attachment":[{"href":"https:\/\/tsisupport.com\/tsistaging\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1348"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tsisupport.com\/tsistaging\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1348"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tsisupport.com\/tsistaging\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1348"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}