Tip: Hammer out a security management process ASAP. According to recent evidence from the feds, you’re right to be worried about your IT systems. Moreover, securing patients’ electronic protected health information (ePHI) has become more perilous during the pandemic with hackers ratcheting up their attacks. In fact, the healthcare industry is under greater threat than ever before. Background: In a joint advisory issued on Oct. 28, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) announced that cyber criminals are ramping up their efforts to take down healthcare systems worldwide with more sophisticated malware and ransomware attacks. The three agencies point to the utilization of an amalgam of programs that build on each other — seizing systems, encrypting data, and essentially blocking providers from doing their jobs. Eventually, hackers demand providers and hospitals pay up if they want to access their data and help patients. The costs both professionally and financially can be astronomical (see story p.1). Concern over these latest ransomware threats is justified, but HIPAA compliance can play a role in thwarting cyber attacks for covered entities (CEs) and their business associates (BAs), suggests HHS in its recent fact sheet “Ransomware and HIPAA.” A combination of a security management process, identifying and remedying risks, and training staff on spotting malicious activity are all factors that decrease providers’ chances of a data security incident, the brief indicates. Caution: There’s another major reason you might want to do your best to avoid a ransomware attack other than the typical worries and hassles. If you choose to pay off the hackers to get your data back, you could now find yourself bogged down with federal fines. “Unfortunately for healthcare providers, the Department of Treasury recently announced that any entity that pays a ransom to get their data returned will be in violation of the International Emergency Economic Powers Act and will thus be subject to paying steep civil monetary penalties, not to exceed $250,000,” warns Wachler & Associates in its Health Law Blog. See the Intersection of a Ransomware Attack and a HIPAA Breach According to HHS, the presence of ransomware on your computer isn’t necessarily a violation. The facts of the case, subsequent investigations, and risk analyses determine whether or not a breach has happened. Definition: If you’re confused about what constitutes a breach under HIPAA, you’re not alone. “According to the Privacy Rule, a breach is any acquisition, access, use, or disclosure in violation of the Privacy Rule — and that covers a lot,” explains Jim Sheldon-Dean, founder and director of compliance services at Lewis Creek Systems, LLC in Charlotte, Vermont. In addition, if evidence gleaned from the risk assessment shows that there was a “low probability” that PHI was compromised, then the incident might not be a breach, indicates HHS Office for Civil Rights (OCR) breach guidance. And to make this determination, HIPAA (45 C.F.R. 164.402(2)) requires you to perform a risk assessment on at least these four factors: Tip: A comprehensive risk analysis using these four factors can help you uncover not only the specifics but also whether there was a low probability of compromise of the PHI. For example, the investigation may identify the type of virus in your system, how it got there, what the malware is doing, and whether ePHI has been impacted. Add These Mitigation Steps to Your HIPAA To-Do List Even though cyber crime is increasing during COVID-19, that doesn’t mean that there aren’t things you can do to circumvent a ransomware attack. Initial steps should always include staff training and security management. Why? It’s also critical that all personnel understand that it can happen to any organization no matter the size or scope; these types of hackers don’t discriminate. “End users are targeted,” exhorts the advisory. It is essential that you “make employees and stakeholders aware of the threats — such as ransomware and phishing scams — and how they are delivered. Additionally, provide users training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities,” the brief continues. Important: “Ransomware can affect practices through both targeted and non-targeted attacks,” advises Jen Stone, MSCIS, CISSP, QSA, a security analyst with Security Metrics in Orem, Utah. “A lot of my customers think they’re too small to be targets, and maybe that’s true, but the non-targeted attacks are still out there,” she adds. Though your physical and financial resources may determine your mitigation strategies, there are many little things that your organization can do to cut down the likelihood of an attack. Consider adding these HIPAA-friendly tips and tactics to your compliance checklist: End point: The feds recommend that all providers consider worst-case scenarios. “Plan for the possibility of critical information systems being inaccessible for an extended period of time,” urges the advisory. Organizations should figure out ahead of time how they will communicate and maintain records while caring for patients during the pandemic. Additionally, they may want to practice paper-based methods regularly and train staff accordingly. Resource: See HHS insight on ransomware and HIPAA at: www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf.