The Department of Health and Human Services has released new guidance to help healthcare organizations protect electronic health information systems from ransomware attacks.
HHS’ civil rights office developed the guidance to identify electronically-protected health information threats, mitigate the identified risks, implement security procedures, train users to detect malware, control ePHI access and maintain a disaster recovery plan, the HHS said July 11.
The guidance is part of efforts to help healthcare organizations comply with the requirements of the Health Insurance Portability and Accountability Act.
Other topics introduced by the guidance cover potential ways to understand and detect ransomware, implement security responses and mitigate impacts of ransomware.
HHS noted that ransomware works to encrypt data and demand ransom payment in the form of a cryptocurrency from the victim user in exchange for the decryption key.
“HIPAA covered entities and business associates are required to develop and implement security incident procedures and response and reporting processes that are reasonable and appropriate to respond to malware and other security incidents,” HHS said.