In late 2015, security experts predicted that 2016 would be the year of online extortion. They were right. There has been a 300% increase in online extortion this year. It is anticipated that over one million US businesses will be infected with ransomware by the end of this year.
Ransomware prohibits computer users from accessing their digital files by encrypting, or password protecting, the files with a key known only to the hacker. The hacker prevents the files from being recovered until a ransom is paid for the encryption key. Downtime associated to infection and cost of recovery are the consequences of a ransomware infection, but the consequences are far greater for those working directly in the healthcare industry and the business associates who support them.
In late June 2016 the Health and Human Services Department’s Office for Civil Rights released its long awaited guidance on HIPAA and ransomware. Their guidance was clear:
“When ePHI is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted was acquired (i.e. unauthorized individuals have taken possession or control of the information, and thus is a “disclosure” not permitted under the HIPAA Privacy Rule.”
Ransomware is unlike any virus you are accustomed to. It is not an attack on computer systems – it is an attack on human vulnerabilities. These sophisticated viruses prey on human mistakes in order to take control of your organization. These threats require just one user to make just one ill-fated mouse click. That one click could be devastating to your entire organization.
Kalleo has penned a whitepaper, “What Healthcare Providers Must Know About Ransomware,” which provides information to healthcare providers about the ransomware threat including steps to reduce the likelihood of a ransomware infection and most importantly, how to secure ePHI in a manner that eliminates the need to report a HIPAA breach in the event of an infection cannot be prevented. Access the whitepaper here.