By Rose Willis
- Conducting a thorough and accurate risk analysis to identify threats and vulnerabilities to electronic protected health information (ePHI) and implementing security measures to mitigate or remediate those identified risks.
- Implementing procedures to guard against and detect malicious software.
- Training users on malicious software protection so they can assist in detecting malicious software and know how to report such detections.
- Implementing access controls to limit access to ePHI to only those persons or software programs requiring access.
- Implementing a data backup plan and ensuring the integrity of the backed up data by conducting test restorations. Maintain data backups offline if possible because some ransomware variants have been known to remove or otherwise disrupt online backups.
The Guidance also reminds us that the presence of ransomware (or any malware) on computer systems is a “security incident” that could be considered a reportable breach under the HIPAA Rules. Security incidents must be addressed under the entity’s security incident procedures and response and reporting processes. Whether the security incident is a breach is a fact-specific inquiry. The extent that the entity has encrypted its ePHI will be a key factor in determining whether the presence of ransomware is a reportable breach.