HRCAlerts052417_Global

With the recent global ransomware attack once again exposing the healthcare industry's vulnerability to hacking, the U.S. Department of Health and Human Services (HHS) on May 15, 2017, updated its guidance regarding ransomware and cyber threats to healthcare organizations. Ransomware is a type of computer software that blocks access to data until a ransom, usually in the form of digital currency, is paid. It is spread via an e-mail attachment or link, usually disguised as coming from a legitimate source. The May 12, 2017, ransomware attack impacted computers in more than 150 countries, including those of Britain's National Health Service (see HRC Alerts, May 17, 2017: Lessons from the Recent Cyberattack). If an organization is a victim of ransomware, HHS recommends providers contact the Federal Bureau of Investigation's (FBI) Cyber Task Force immediately, report cyber incidents to US-CERT and the FBI's Internet Crime Complains Center, and share information with HHS' Healthcare Cyber Security and Communications Integration Center. The guidance also offered a resource list with links to up-to-date information from the government. The American Hospital Association also offers cybersecurity resources to its members on its website.

HRC Recommends: Risk managers can help their facilities prepare for cyberattacks by conducting risk assessments, and putting contingency plans in place. Contingency plans should require workforce training on how to use and substitute non-electronic, paper-based methods, such as written discharge instructions, as may be necessary. Facilities should consider keeping available a variety of paper records and forms (e.g., pre-printed discharge instructions for common medical conditions with a blank area left for specific instructions) and other paper records as well as forms that can be hand-delivered to laboratories and radiology departments. Preprogramed phone and fax numbers can also minimize delay in the event an IT system is compromised. The Centers for Medicare and Medicaid Services (CMS) advises taking an "all hazards" approach to cybersecurity, because conditions of participation in federally funded healthcare programs may be adversely affected by cyber incidents—notably, the conditions of participation relating to the governing body, medical records/patient records, and nursing services. The CMS recommendations for cybersecurity and other information about ransomware are discussed in the guidance article The HIPAA Security Rule.

Topics and Metadata

Topics

Health Information Privacy; Security/Safety

Caresetting

Ambulatory Care Center; Ambulatory Surgery Center; Emergency Department; Hospital Inpatient; Hospital Outpatient; Rehabilitation Facility; Short-stay Facility; Skilled-nursing Facility

Clinical Specialty

Roles

Healthcare Executive; Regulator/Policy Maker; Risk Manager; Security Personnel

Information Type

News

Phase of Diffusion

Technology Class

Clinical Category

UMDNS

SourceBase Supplier

Product Catalog

MeSH

ICD 9/ICD 10

FDA SPN

SNOMED

HCPCS

Disease/Condition

Publication History

Published May 24, 2017

Who Should Read This

Administration, Clinical/biomedical engineering, Health information management, HIPAA security officer, Information technology, Risk manager, Security

Areas of Focus

Featured Memberships & Services

HHS Updates its Cybersecurity Guidance after Global Ransomware Attack