There's been a disturbing new trend regarding the use of ransomware in recent years. Ransomware refers to a particular type of malicious software that, once deployed on a victim's computer or computer network, prevents the user from accessing his or her files until a ransom is paid. Data is encrypted, requiring a decryption key to be accessed. But even if this ransom is paid, there's no guarantee that the files will become accessible again.
To make matters worse, it's not just home PC users who are becoming the targets of ransomware; it is also doctors, hospitals and other healthcare facilities. This begs the question: is ransomware considered a data breach under the Health Insurance Portability and Accountability Act (HIPAA) of 1996? A data breach occurs when the Protected Health Information (PHI) of a covered entity is accessed or otherwise compromised by an unauthorized individual. Therefore, conventional wisdom should lead you to believe that ransomware is a data breach.
David Harlow, Principal – The Harlow Group, LLC, recently answered this question in an article published on Forbes. According to Harlow, most instances of ransomware attacks on healthcare practices' networks are not considered to be data breaches under HIPAA. This is because ransomware encrypts the network's data rather than accessing it. The unauthorized individual who's attacking the network doesn't necessarily access PHI, rather he or she encrypts it so that the healthcare facility can longer access it – not without paying a ransom, at least. “In many cases, ransomware wraps PHI rather than breaches it,” explained Harlow.
Even if ransomware isn't classified as a data breach, doctors and other covered entities should still take precautionary measures to protect their systems from this malicious software. A simple Google News search for “ransomware hospitals” reveals dozens of stories involving ransomware attacks on hospitals. Back in February, for instance, the Hollywood Presbyterian Medical Center in California reportedly paid $17,000 in Bitcoin ransom to unlock its data after it had become locked. So, what can you do to protect your healthcare practice from ransomware?
For starters, make sure your data is backed up on a secure, remote storage device, such as the cloud. If you ever become the target of ransomware, you can rest assured knowing that your data can be restored. Running antivirus software, a firewall, and other digital security measures can also prove useful in protecting against ransomware and similar forms of malicious software.