HIPAA compliance can help your practice protect itself against ransomware attacks.

Security & Risk Analysis: HIPAA compliance requires your practice to complete a Security & Risk Analysis that identifies threats to electronic protected health information (ePHI). The Security & Risk Analysis may bring to light issues such as not limiting access to ePHI appropriately or not having a contingency plan in place that addresses emergency operations, disaster recovery, frequent data backups, and test restoration.

Security Training: HIPAA compliance requires all IT end users to receive training specific to detecting and reporting security risks which includes ransomware. This training should be extended to staff and physicians to help avoid human error mistakes such as clicking a risky link, website, or attachment.

Network Flags: To further comply with HIPAA, your practice should consider creating flags or alerts on specific IT events. Such events could include heavier central processing unit (CPU) activity without a known cause. This could be a sign that ransomware is encrypting and stealing data. Another flag would be the inability to access certain data as ransomware may be encrypting, renaming, and hiding data. Intrusion detection can find suspicious network communications between a program and the attacking command and control server.