OCR Issues Guidance on Ransomware Prevention and Response
The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has published a video presentation offering guidance to HIPAA-regulated entities on ransomware prevention and compliance with the HIPAA Security Rule.
The video presentation was released in recognition of National Cybersecurity Awareness Month to improve awareness of the threat of ransomware and educate HIPAA-regulated entities on how compliance with the HIPAA Security Rule can help prevent ransomware attacks and limit their impact.
OCR investigates all large data breaches (500 or more records) to determine if noncompliance with the HIPAA Rules led to or contributed to the attack. These investigations have allowed OCR to identify ransomware trends, which Nick Heesters, OCR’s senior advisor for cybersecurity, explains in the video presentation. Ransomware attacks on HIPAA-regulated entities increased by 102% between 2019 and 2023 and large numbers of attacks have already been reported this year. It is clear that ransomware is one of the biggest threats to health information privacy.
OCR is currently working on an update to the HIPAA Security Rule and there have been calls for much stricter cybersecurity standards for healthcare organizations; however, compliance with current HIPAA Security Rule provisions can greatly reduce an organization’s susceptibility to ransomware attacks and limit their severity should an attack succeed.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
OCR’s investigations of ransomware-related data breaches have revealed that some HIPAA-regulated entities have only partially complied with the provisions of the HIPAA Security Rule or have improperly implemented certain provisions. Had the entity been fully compliant, the attack could have been prevented or its severity could have been reduced. These compliance failures opened the door for hackers and security mistakes have allowed hackers to operate undetected inside healthcare networks for months.
In one investigation, OCR found that the covered entity had implemented a Security Information and Event Management (SIEM) system that generated rules-based alerts to identify potential unauthorized system activity. The SIEM system detected a potential compromise and sent the alerts via email to a member of the security team; however, that team member had left the organization 3 weeks prior to the attack and the email alerts were no longer being monitored.
Some of the most commonly identified HIPAA compliance failures include not providing security awareness training to all members of the workforce. Security awareness training is vital for raising awareness of threats and eradicating bad security practices that can give threat actors the access they need. A successful ransomware attack may result in file encryption, but not necessarily a data breach. OCR often found a lack of encryption for protected health information stored on the network. If encryption had been used, data exfiltration would not have exposed patient data and there would not have been a reportable breach to investigate.
The HIPAA Security Rule requires backups to be made, but poor backup practices are often identified in OCR’s investigations, such as the failure to use the 3-2-1 approach to backing up data – Make three separate backups, store them on at least two different media, and ensure that one copy is kept securely off-site. This approach will help to ensure a rapid recovery in the event of file encryption.
Recent enforcement actions by OCR over ransomware-related data breaches have identified insufficient reviews of activity in information systems, which allowed intrusions to go undetected for weeks or months. One of the most commonly identified HIPAA compliance issues is the failure to conduct a comprehensive, accurate, organization-wide risk analysis, manage the identified risks, and reduce them to a low and acceptable level.
Being fully compliant with the HIPAA Security Rule may not always prevent attacks and data breaches, but non-compliance or partial compliance with the HIPAA Security Rule often contributes to the failure to stop, contain, and recover from a ransomware attack. When OCR investigates data breaches, investigators look for any underlying noncompliance that caused or contributed to the attack. Three recent enforcement actions have resulted in financial penalties for non-compliance with the HIPAA Security Rule.
