With the recent global ransomware attack once again exposing the healthcare industry's vulnerability to hacking, the U.S. Department of Health and Human Services (HHS) on May 15, 2017,
updated its guidance regarding ransomware and cyber threats to healthcare organizations. Ransomware is a type of computer software that blocks access to data until a ransom, usually in the form of digital currency, is paid. It is spread via an e-mail attachment or link, usually disguised as coming from a legitimate source. The May 12, 2017, ransomware attack impacted computers in more than 150 countries, including those of Britain's National Health Service (see
HRC Alerts, May 17, 2017: Lessons from the Recent Cyberattack). If an organization is a victim of ransomware, HHS recommends providers contact the
Federal Bureau of Investigation's (FBI) Cyber Task Force immediately, report cyber incidents
to US-CERT and the FBI's Internet Crime Complains Center, and share information with HHS'
Healthcare Cyber Security and Communications Integration Center. The guidance also offered a resource list with links to up-to-date information from the government. The American Hospital Association also offers cybersecurity resources to its members on
its website.
HRC Recommends: Risk managers can help their facilities prepare for cyberattacks by conducting risk assessments, and putting contingency plans in place. Contingency plans should require workforce training on how to use and substitute non-electronic, paper-based methods, such as written discharge instructions, as may be necessary. Facilities should consider keeping available a variety of paper records and forms (e.g., pre-printed discharge instructions for common medical conditions with a blank area left for specific instructions) and other paper records as well as forms that can be hand-delivered to laboratories and radiology departments. Preprogramed phone and fax numbers can also minimize delay in the event an IT system is compromised. The Centers for Medicare and Medicaid Services (CMS) advises taking an "all hazards" approach to cybersecurity, because conditions of participation in federally funded healthcare programs may be adversely affected by cyber incidents—notably, the conditions of participation relating to the governing body, medical records/patient records, and nursing services. The CMS recommendations for cybersecurity and other information about ransomware are discussed in the guidance article
The HIPAA Security Rule.