Forty bitcoins later (approximately $17,000), Hollywood Presbyterian Hospital can now access its electronic medical health records and return to treating its patients as scheduled. But as hackers develop new tools to access information, an increasing number of providers will be targeted and ransom demands will escalate, putting hospitals and patients at risk. Focusing on technical cybersecurity protection, workforce training, and comprehensive risk analysis and management will enable covered entities and business associates to better withstand attacks and reduce vulnerabilities.

On February 2, 2016, three days prior to the attack on Hollywood Presbyterian Hospital, the Office for Civil Rights (OCR) released an email on ransomware and preventing ransomware infection as part of its cybersecurity awareness initiative. Ransomware is a type of malware that can infect systems, encrypt files, or otherwise block users from their data until the institution or person pays a ransom to regain access. As with any malware, the avenue of attack can be email, open remote connection ports, and more. Hollywood Presbyterian Hospital is working with the Federal Bureau of Investigation to identify the route of the attack.

Mitigating Risks

Covered entities and business associates must remain vigilant against cybersecurity attacks to avoid becoming the next victim of a ransomware attack. At a minimum, covered entities and business associates should focus on the following three areas:

• Technical cybersecurity protection
• Workforce training
• Comprehensive risk analysis and management

OCR continues to enable covered entities and business associates to achieve HIPAA compliance with guidance on different HIPAA components. Most recently, OCR released its crosswalk between the HIPAA Security Rule and the National Institute of Science and Technology (NIST) Cybersecurity Framework. The crosswalk can be used to identify any gaps in cybersecurity between NIST’s framework and HIPAA requirements, as well as help bolster existing cybersecurity with the NIST standards.

In addition to technical protections, workforce training is the second line of defense against malware such as ransomware. The HIPAA Security Rule requires security awareness and training for workforce members of covered entities. 45 C.F.R. 164.308 (a)(5). Regular bulletins with short examples of malware attacks or guidance on assessing and responding to malware incidents, along with training focused on recognizing malware and emphasizing best practices in email and Internet security, will help protect healthcare providers against successful malware attacks.

Finally, the importance of risk analyses and management plans cannot be overstated. A proper risk analysis will identify any gaps in device security and server security, making sure that the covered entity or business associate is not wide open to malware propagated by hackers.