Healthcare and Ransomware: Does HIPAA Compliance Help to Protect?
With the U.K.’s National Health Service being hit hard by the WannaCry ransomware attack, healthcare organizations around the world have been reminded of the vulnerability that the entire industry faces when it comes to digital breaches. The WannaCry attack has been particularly aggressive, with hundreds of thousands of computers being infected worldwide, but even a smaller-scale attack has the power to devastate an entire network.
Why are healthcare organizations a target for ransomware?
Ransomware is more than just a computer virus—it’s an extortion scheme in which victims’ data is held hostage, forcing them to pay to recover it. An individual’s protected health information (PHI) is not only extremely personal, in some cases, the contents are vital to that individual’s well-being. Because of this, victims are more willing to pay to recover their information, rather than jeopardize their own privacy or health.
On top of the sensitive nature of medical information, healthcare organizations further become a target for hackers due to slow adoption of advanced health IT systems. Though modern medicine continues to rapidly advance, healthcare organizations tend to be slower when it comes to updating existing processes or systems, meaning that digital security in healthcare has yet to catch up to the sophistication of cyber-attacks.
Ransomware will only continue to target healthcare
In a 2017 Verizon Data Breach report, the research showed that healthcare is the second most targeted industry when it comes to ransomware attacks; the only industry more targeted than healthcare is financial services. Additionally, this report found that in 2017, 72% of malware attacks on the healthcare industry were specifically ransomware attacks.
Does HIPAA compliance help to protect against ransomware attacks?
For some healthcare organizations, HIPAA compliance came seem like a chore, or something that’s only followed to avoid penalization. However, part of the practical application of HIPAA compliance is that it can in fact help to protect against cyber-attacks, like ransomware.
HIPAA is made up of a series of rules, one of them being the Security Rule, which specifically sets forth a set of guidelines that can help to protect against cyber-attacks, including ransomware. The guidelines set forth in the HIPAA Security Rule require all entities and their business associates to thoroughly assess existing risks and potential risks to PHI that’s created, received or transmitted.
The goal of the HIPAA Security Rule is to establish a minimum level of security that all PHI must maintain. Entities and their business associates are also encouraged to implement further security measures beyond the minimum established, but even adhering to just the guidelines set forth by the Security Rule will go a long way in helping to protect both entities and their business associates from ransomware and other cyber-attacks.
Make sure your business associates are HIPAA compliant
If your organization relies on a business associate to store, transmit or otherwise handle PHI—such as a cloud fax or document management service—take some time to audit that business associate’s adherence to the HIPAA Security Rule. The advent of the WannaCry epidemic has called attention to just how detrimental a cyber-attack can be, especially for organizations transmitting PHI. If you’re partnering with a business associate that’s responsible for PHI in transit or at rest, their HIPAA compliance is imperative for your organization.
Whether you utilize a HIPAA compliant cloud fax or document management solution currently, or you’re in the process of finding one, you can take a look at our Cloud Fax Reference Guide to help establish some requirements for your business needs. Use them to audit your current cloud fax solution’s compliance, or to help guide your search. For more information on Concord’s HIPAA compliant fax or document management solution, you can easily contact us today, or download our guide below to learn more. Don’t put your organization’s security at risk; make sure your business associates take compliance as seriously as you do.