Basic|ILY

Back to basics HIPAA Compliance and Cyber Security Awareness

Cyber Security Awareness and HIPAA Compliance

Welcome to my humble little byte of the internet where you will find my latest musings and knowledge sharing on Cyber Security and HIPAA Compliance concerns.

1 Comment

What You Need to Know: Ransomware ..and why it matters for HIPAA Compliance

Ransomware threatens the basic tenets of the HIPAA Security Rule ..integrity, availability, and confidentiality of data.

The HIPAA Security Rule 164.306(a) states, covered entities must:
(1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits.
(2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
(3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part.
(4)  Ensure compliance with this subpart by its workforce.

What is ransomware?
Ransomware is malicious software that is used to lock (encrypt) files on your computer system and shared network drives. Attackers then ask for a ransom payment in exchange for the key to recover the locked files. In many cases, they never send the key, or an invalid key is provided, and the files are never recovered.

HHS issues guidance on ransomware and HIPAA.
Multiple sources estimate that ransomware attacks have increased 300% since 2015. Due to this steady climb from an estimated 1000 attacks per day in 2015, to 4000 attacks per day during the first half of 2016, the U. S. Department of Health and Human Services (HHS) has issued guidance for covered entities and business associates in regard to ransomware.

Maintaining HIPAA compliance ..would you have to report the ransomware incident to HHS?
If ransomware has adversely affected unsecured ePHI (electronic protected health information) in your environment, provisions in the HIPAA Breach Notification Rule may require you to report the incident to affected individuals, the Secretary of HHS, and the media.

If you become a victim of a ransomware attack
– Initiate your security incident response and Breach Notification procedures
– Do not pay the ransom
– Report the incident to your local FBI field office
– Report the incident to affected individuals, agencies, and the media, as appropriate

Reduce your risk to becoming a victim
– Provide security awareness and training for staff on how to identify and report suspicious activity
– Implement data encryption on all ePHI (at rest and in motion)
– Perform regular full data encrypted backups, and periodically ensure ability to successfully restore data from backup

Leave a Comment

Hello world!

I want to say hello to the world for the first time from my very first blog. Yes, I left the default title (for you computer people, you know who you are). Why? Because it is apropos. Please don’t judge. I am a cyber security professional, not a web developer! And no, is it not the same thing! In time this site will develop into something more refined, and aesthetically cyber, but if I don’t do it now, well… I have been “Coming Soon” for over a year, and it is about time I arrived. Eventually, I will delegate the website administration to a professional web developer, but for now I want to learn a little bit about the process and the design.

My goal is for this site to be a resource for Cyber Security and HIPAA Compliance matters, with an emphasis on privacy and security awareness and education. This will never be an overly technical website; however, if you like what you read here, I will do my best in each and every post to include relevant links for more technical reading. Likewise, I will develop a blog roll that will include many of my favorite web resources for the best cyber technical stuff on the planet!

My vision is that someday this website will transition to a full-fledged cyber security business website. For now, I may also post other initiatives that I am pursuing, but I will always keep it to the “basics.”

One thing I have learned, blog posts are supposed to be a few paragraphs so readers don’t lose interest. So, I will now thank you for stopping by, and I hope you find useful information that helps you secure your business. Thank you for growing this blog with me.

Jennifer