It seems we can’t have a conversation about data security these days without mentioning ransomware. Public and private companies are reporting increasing numbers of ransomware attacks, and health care providers and business associates are no exception to this trend.
Ransomware – What is it?
At its most fundamental, ransomware is a type of malicious software that infiltrates a person or company’s computer system and encrypts certain data that is stored electronically. Essentially, ransomware locks users out of accessing their data until a “ransom” is paid. Ransomware may also be used in conjunction with other malware to gain access to IT systems in an effort to steal data housed within the IT system.
Although not expressly mentioned in the Security Rule, a covered entity or business associate’s HIPAA compliance program necessarily must include analyses relating to the potential for, and responses to, ransomware attacks. Risk management plans, risk analyses, and other security assessments should identify threats and vulnerabilities to electronic protected health information (PHI) and a company needs to implement procedures to guard against and detect malicious software, including ransomware.