The Department of Health and Human Services issued guidelines this week that could require doctor offices and clinics to notify users and the HHS if they were a victim of a ransomware attack.

The guidelines stress that implementing security compliance, as part of HIPAA and Hi-TECH, can prevent infections of malware, including ransomeware.  Specifically, the HHS Fact Sheet states:

  • implementing a security management process, which includes conducting a risk analysis to identify threats and vulnerabilities to electronic protected health information (ePHI) and implementing security measures to mitigate or remediate those identified risks;
  • implementing procedures to guard against and detect malicious software
  • training users on malicious software protection so they can assist in detecting malicious software and how to report such detections, and
  • implementing access controls to limit access to ePHI to only those persons or software programs requiring access.

The guidelines also stress the importance of backups and business continuity plans for health care providers, so they can continue business after a malware infection.

While HIPAA has been around for over 20 years, the number of audits conducted by the Office of Civil Rights (OCR) has increased substantially over the last year.  It’s also no longer just health care providers that are required to follow HIPAA rules and regulations.  The law has expanded to cover Business Associates, which can include IT Providers, accountants, billing entities and more.