The Department of Health and Human Services (HHS) have released its newest guidelines for healthcare facilities when faced with a ransomware attack in response to insufficient security of data.

With the number of cyber-attacks to healthcare industries doubling in recent years, HHS released its guidelines in the hopes of both education healthcare officials and helping them relize how important of a problem ransomware is.

The new guidelines suggest that healthcare facilities report all ransomware attacks as data breaches, stating the data breach is “presumed and notification of the individuals whose information is involved in the breach and HHS is required,” according to an HHS spokesperson. The guidelines also hope to get the facilities more involved in their reporting process.

“We have seen that attacks due to hacking, including malware and ransomware, are on the rise in reports that we are receiving from HIPAA-covered entities and business associates,” the spokesperson said, “[but] we cannot comment on incidents that have not been reported.” 

According to the guidelines, incident procedures for responding to a ransomware attack should include steps to:

• Detect and conduct an initial analysis of the ransomware.
• Contain the impact and propagation of the ransomware.
• Eradicate the instances of ransomware and mitigate or remediate vulnerabilities that permitted the ransomware attack and propagation.
• Recover from the ransomware attack by restoring data lost during the attack and returning to “business as usual” operations.
• Conduct post-incident activities, which could include a deeper analysis of the evidence to determine if the entity has any regulatory, contractual or other obligations as a result of the incident (such as providing notification of a breach of protected health information), and incorporating any lessons learned into the overall security management process of the entity to improve incident response effectiveness for future security incidents.