Ransomware is a HIPAA Breach

Jack Danahy of Barkly makes a good point in his article that control of PHI by an outside enity is a HIPAA breach especially if that entity is a criminal.  Here is the complete article: http://healthitsecurity.com/news/why-healthcare-ransomware-attacks-are-hipaa-data-breaches 

Ransomware popped up on most of our radar with the announcement that a hospital had paid $18,000 in ransom to get their database released from outside control.  There are two scary parts to this story; bots doing ransomware and hackers doing ransomware.

The bots just look for an opening with various techniques such as phishing and once inside they lock up the datbase and send a message demanding payment to release the database.  Typically they only ask for $500 or so and this is all automated.  

If howeve a hacker is able to figure out the value of the database they would ask for a higher ransom.  Medical records are the most valuable records in the black market so if a hacker discovers that he is holding 10,000 medical records that he could sell on the black market for $50 each his ransom demands are going to much higher than the bot.

Protection from ransomware of either type requires greater diligence than most healthcare organizations are currently applying.  Proper policies properly implemented with comprehensive staff training are the foundation.  Routine risk assessments to measure progress and identify risks are critical.  If you haven't updated your formal risk assessment in the last six month you are probably at greater risk than you imagine.

For many small organizations the answer is our Jumpstart program that gets you into initial HIPAA compliance in 72 hours and then keeps you there on an on-going basis.  With prices starting at $99 you can't afford to take the risk that you might be the the crosshairs of a bot or hacker today.

For more information contact Jack@compliancehelper.com

Add Your Comments

(not published)