HHS reports international cyber threat to healthcare organizations

Featured image

Share this article

HHS Reports International Cyber Threat to Healthcare Organizations - Paubox

To keep our pulse on the HIPAA industry, we subscribe to the U.S. Department of Health and Human Services’ HIPAA Security Rule Distribution List. This past week we’ve seen a lot of activity on the list, so I’m sharing some of it via this post. The reasons behind its surge in activity of course, are the WannaCry ransomware attacks.

SEE RELATED: 3 Key Lessons Learned From WannaCry Ransomware Cyberattacks

If you are the victim of ransomware

If your HIPAA organization is the victim of a ransomware attack, HHS recommends the following:

  1. Contact your FBI Field Office Cyber Task Force immediately to report a ransomware event and request assistance. These professionals work with state and local law enforcement and other federal and international partners to pursue cyber criminals globally and to assist victims of cyber-crime.
  2. Report cyber incidents to the US-CERT and FBI’s Internet Crime Complaint Center.
  3. For further analysis and healthcare-specific indicator sharing, please also share these indicators with HHS’ Healthcare Cybersecurity and Communications Integration Center (HCCIC) at [email protected]

HHS Office of Civil Rights guidance on HIPAA specific to WannaCry

As outlined in its online ransomware fact sheet, HHS presumes a breach in the case of a ransomware attack.

The entity must determine whether such a breach is a reportable breach no later than 60 days after the entity knew or should have known of the breach.

SEE RELATED: FACT SHEET: Ransomware and HIPAA [HHS]

Ransomware guidance also includes important information about ransomware and how compliance with the HIPAA Security Rule helps entities prepare for ransomware attacks. This includes regard to contingency planning.

OCR has shared its FAQ on sharing of cyber threat indicators here.

Important Note: If the data is not encrypted by the entity to at least NIST specifications when the ransomware attack is deployed, then OCR presumes a breach occurred, due to the ransomware attack.

As such, the Covered Entity or Business Associate would need to prove that the ePHI was encrypted when the attack occurred and the ransomware containerized (or encrypted again) already-encrypted ePHI.

SEE ALSO: HIPAA Breach Notification Rule

Where can I find the most updated information from the U.S. Government?

For overall Cyber Situational Awareness, visit the US-CERT National Cyber Awareness System.

The NCCIC portal is here (Restricted access).

Indicators Associated With WannaCry Ransomware:

Healthcare and Public Health-directed Resources:

Try Paubox Email Suite for FREE today.
Author Photo

About the author

Hoala Greevy

Founder of Paubox. Kayak fishing when I can. Native Hawaiian CEO.

Read more by Hoala Greevy

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022