“Is ransomware considered a health data breach under HIPAA?”. The answer is explored in the recent issue of Forbes magazine by author Dan Munro. He researched healthcare and compliance domains.
According to the information presented, a ransomware attack should not be considered data breach as per PHI disclosure restrictions in HIPAA. It is more about the message of lax security that’s being broadcast to cyber-criminals around the world. But Dan believes otherwise.
Ransomware attacks should be considered as unauthorized exposures of private information. It is same as the outright theft of the laptop, desktop, or server breach.
Acccording to the records of Office of Civil Rights (OCR) in 2015, there were more than 300 disclosed healthcare breaches. One-third are due to the loss or theft of some piece of equipment like laptop, desktop, server, or other portable electronic device.
The report also states that more than 100 of the disclosed breaches were due to attack like ransomware. The breaches affected more than hundreds of thousands of records. It is believed that the records under the hands of criminals can cause breach.
HIPAA rules states that the notification letters to be sent to affected individuals because the systems and the PHI are not under control of the healthcare provider.
Types of Ransomware –
Few attacks takes control of machine and lock it down. This action blocks the access to legitimate users. The system is unlocked only paying after ransom amount and clearly the system is under the control of criminals.
Few attacks involves remote access control by criminal. They awaits the Bitcoin payment to unlock and reconfigure the system.
Common form of ransomware includes a software which encrypts certain important files with certain password. The process includes accessing the files and encrypting and storing the files in the same place. Once the payment is done, files are unlocked.
Now a days, ransomware attacks to extort money are on the rise.
There’s more and more documented evidence that this is going on,” says Ori Eisen, founder and chief innovation officer of fraud prevention company 41st Parameter. “It’s more prevalent in the United Kingdom, which is sort of a staging or testing ground. It’s starting there and getting more momentum.”
Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.