With hackers hovering around to steal medical patients’ personal data and the likelihood of a HIPAA audit, these two factors can create the perfect storm for medical practices. The Office of Civil Rights (OCR) in the Department of Health and Human Services (HHS) is responsible for reviewing medical practices to ensure compliance with privacy laws. And the risk of a HIPAA audit is escalating, due to the previous findings of a significant amount of medical entities not performing thorough security risk assessments. Those medical entities found to have data breaches face a steep fine for failing a HIPAA audit. Just recently, the OCR received two multimillion-dollar settlements from medical providers whose unencrypted laptops were stolen.
Without a doubt, ransomware scams are costing medical practices. And the cost comes from the OCR, patients and cybercriminals. Practices can lose existing and potential patients who are afraid of the theft of their personal information. In February 2016, hackers shut down the computers at Hollywood Presbyterian Medical Center in Los Angeles until the hospital paid out a whopping $17,000 in ransom through Bitcoin. The medical center was taken hostage for 10 days. It’s even easier for hackers to earn big bucks by holding data hostage than by selling it on the black market. Medical offices, hospitals and medical facilities are truly a rich target for cybercriminals because of their updated personal data on patients.
CryptXXX Ransomware and Other Variants
CryptXXX ransomware and newer variations of ransomware could result in a reportable HIPAA breach and investigation by the OCR. The CryptXXX ransomware is malware that encrypts files and demands a ransom to release the files. It can collect passwords and other data from internet browsers, email clients, FTP programs and patient instant messenger applications. PC security researchers indicate that this malware may also collect Bitcoin wallet credentials. With a HIPAA reportable breach, healthcare organizations face damage to their brands’ reputations by having to report ransomware breaches to patients.
The Key Takeaway on Ransomware and HIPAA Audits
The OCR makes it clear that ransomware poses a real threat to healthcare organizations. And healthcare organizations need to do a lot of work to disprove or prove that a ransomware attack is a non-reportable or reportable breach under the HIPAA Security Rule. Healthcare organizations need to have the right network controls in place to provide evidence to the OCR. This evidence includes knowing what data was accessed, the integrity of the data and the communications between the cybercriminals’ servers. There’s a lot of data that needs to collected, including prior, during and after the malware attack. Without the proper network controls in place and the right technology, it’s likely that a breach will be a reportable one.
Turn to QualityIP as your trusted choice when it comes to staying ahead of the latest information technology tips, tricks and news about HIPAA audits and ransomware. Contact us at (330) 931-4141 or send us an email at [email protected] for more information.