The number of ransomware attacks increased from 1000 attacks per day to 4000 attacks per day - an increase of over 300% - between 2015 and 2016, according to a recent U.S. Government interagency report. Ransomware attacks in the healthcare industry increased by nearly 75% between H1 and H2 2019, and the number jumped a whopping 350% in the last half of 2019, according to a Corvus report.

These attacks on the global healthcare industry have been dominating headlines for years, shaking the entire system. Pervasive ransomware like Locky and SamSam have disrupted healthcare facilities and businesses in major parts of the world, highlighting industry’s status quo with the lackluster cybersecurity defenses.

How and Where Ransomware Attacks and HIPAA Guidelines Intersect

With the alarming rise in ransomware attacks, new guidelines have been issued by the Federal government to establish a stronger system to tackle ransomware attacks under the Health Insurance Portability and Accountability Act (HIPAA) law. The guidelines are expected to offer measures for healthcare professionals to prevent and recover from ransomware attacks, including the explanation on how the law has an important role to play in supporting HIPAA-covered healthcare organizations and businesses to manage and devise a response to ransomware attacks.

The new guidelines are a response from the Department of Health and Human Services to ransomware attacks that have grown from being a nuisance to a looming threat to the entire healthcare industry that comprises both the business as well as patients. According to HHS, now businesses can identify when a ransomware attack can be treated as a breach of HIPAA, and they devise their response accordingly. In most cases, the presence of ransomware encrypts electronic protected health information (ePHI) from a healthcare organization, and that is when any HIPAA-compliant business can treat this attack as a breach.

The HHS clearly states that the businesses covered by HIPAA must refer to the guidelines and steps described in its document while responding to, reporting, and recovering from any ransomware attack in the future. The steps of response include:

1. Identify and analyze the scope of the security incidence

2. Reach the origin and find whether the attack is ongoing

3. Analyze the situation to know whether there has been a break of ePHI

Grey Area in the New HIPAA Guidelines that can Weaken the System

The HHS’ guidelines can help in preventing and dealing with the devastating impacts of any ransomware attack, as it defines ransomware attack as a security incident. It also indicates that complying with HIPAA standards can help healthcare enterprises in escaping the monumental difficulties of tackling ransomware attacks and mitigating the cost of it. However, the document still leaves many unanswered questions and creates some loopholes in the understanding about what can be and cannot be considered a breach of HIPAA.

Today, hackers and attackers are coming to the realization that prying hundreds of individual customers is more efficient and profitable than victimizing enterprises worth a few thousand or tens of thousands of dollars. Furthermore, the document also does not clarify the pointers such as the nature and extent of the PHI breach, which leaves a room for interpretation and debate.

Thereby, this highlights the need among healthcare professionals to gain complete guidance on the HIPAA law through various training, manuals, and testing. Furthermore, intensifying risks of ransomware in today’s world, where a majority of healthcare businesses are going online, the need for annual risk assessments and HIPAA training, along with cyber security awareness training, have become inevitable for enterprises to prevent their organizations from these attacks.