On December 28 HHS released suggested measures to protect health care businesses from cyberattacks on their electronic health systems (EHRs) and protected health information (PHI). Included among threats they say practices should watch for: Ransomware, which has become a common hacking exploit in health care.
The agency announced it was issuing the guidance in keeping with the Cybersecurity Act of 2015, which directed the agency to "develop practical cybersecurity guidelines to cost-effectively reduce cybersecurity risks for the healthcare industry."
Four guidance documents lay out "the five most relevant and current threats to the industry" and "10 Cybersecurity Practices to help mitigate these threats." The threats are:
- E-mail phishing attacks
- Ransomware attacks
- Loss or theft of equipment or data
- Insider, accidental or intentional data loss
- Attacks against connected medical devices that may affect patient safety
Ransomware, a hack that locks the victim's computer systems until the owner pays a fee, first began showing up in health care at private duty agencies and insurers in 2015. But over time it has spread to hospitals and independent practices. And it shows no sign of slowing down: One cybersecurity analysis firm has predicted "ransomware damage costs will rise to $11.5 billion in 2019 and one business will fall victim to a ransomware attack every 14 seconds by that time."
The ten practices for defense against these threats that HHS proposes include cybersecurity policies, incident response, and endpoint protection systems.
"Just as we are able to protect our patients from infection," says HHS, "we should all work towards protecting patient data to allow physicians and caregivers to trust the data and systems that enable quality health care.
HHS emphasizes what practices stands to lose if they're hacked: they note that data breaches cost the U.S. health care system $6.2 billion in 2016, and that "the presence of ransomware (or any malware) on a covered entity’s or business associate’s computer systems is a security incident under the Health Insurance Portability and Accountability Act (HIPAA) Security Rule."
Protect yourself: On January 16 DecisionHealth will have cybersecurity expert John Nye of CynergisTek give a webinar, Ransomware: How to Protect Your Practice, that will teach you how to effectively defend your systems and PHI from this fast-spreading and potentially expensive menace. Sign up here.