HHS releases guidelines for healthcare facilities facing ransomware attacks

The Department of Health and Human Services (HHS) have released its newest guidelines for healthcare facilities when faced with a ransomware attack in response to insufficient security of data.

With the number of cyber-attacks to healthcare industries doubling in recent years, HHS released its guidelines in the hopes of both education healthcare officials and helping them relize how important of a problem ransomware is.

The new guidelines suggest that healthcare facilities report all ransomware attacks as data breaches, stating the data breach is “presumed and notification of the individuals whose information is involved in the breach and HHS is required,” according to an HHS spokesperson. The guidelines also hope to get the facilities more involved in their reporting process.

“We have seen that attacks due to hacking, including malware and ransomware, are on the rise in reports that we are receiving from HIPAA-covered entities and business associates,” the spokesperson said, “[but] we cannot comment on incidents that have not been reported.” 

According to the guidelines, incident procedures for responding to a ransomware attack should include steps to:

  • Detect and conduct an initial analysis of the ransomware.
  • Contain the impact and propagation of the ransomware.
  • Eradicate the instances of ransomware and mitigate or remediate vulnerabilities that permitted the ransomware attack and propagation.
  • Recover from the ransomware attack by restoring data lost during the attack and returning to “business as usual” operations.
  • Conduct post-incident activities, which could include a deeper analysis of the evidence to determine if the entity has any regulatory, contractual or other obligations as a result of the incident (such as providing notification of a breach of protected health information), and incorporating any lessons learned into the overall security management process of the entity to improve incident response effectiveness for future security incidents.
""
Cara Livernois, News Writer

Cara joined TriMed Media in 2016 and is currently a Senior Writer for Clinical Innovation & Technology. Originating from Detroit, Michigan, she holds a Bachelors in Health Communications from Grand Valley State University.

Around the web

Compensation for heart specialists continues to climb. What does this say about cardiology as a whole? Could private equity's rising influence bring about change? We spoke to MedAxiom CEO Jerry Blackwell, MD, MBA, a veteran cardiologist himself, to learn more.

The American College of Cardiology has shared its perspective on new CMS payment policies, highlighting revenue concerns while providing key details for cardiologists and other cardiology professionals. 

As debate simmers over how best to regulate AI, experts continue to offer guidance on where to start, how to proceed and what to emphasize. A new resource models its recommendations on what its authors call the “SETO Loop.”