Ransomware Can Be a Regulatory Issue!


I was just reading that in July 2016, an alarming enforcement threat was included in guidance from the Health & Human Services’ Office for Civil Rights, which enforces the HIPAA Security Rule.  What is alarming about this is that even if your data is encrypted at rest, it may still be treated as a breach!  We think that having the data encrypted is the sufficient, but it seems that they can make a fact-specific determination.  So let’s look at that guidance and what it means for us.Watch movie online The Transporter Refueled (2015)

The Health and Human Services’ Office for Civil Rights (HHS/OCR) notes that a breach under the HIPAA Rules is defined as, “…the acquisition, access, use, or disclosure of PHI in a manner not permitted which . . . compromises the security or privacy of the PHI.”  The guidance that has been added to the OCR will presume a breach of PHI because the action of the ransomware itself is necessarily an unauthorized “possession or control” of the information and thus is a “disclosure” not permitted under the HIPAA Privacy Rule.  

You can bet that other regulators will follow soon, meaning PCI, GLBA, FFIEC and others so this is advanced warning for our friends in the Credit Union world.  We need to be setup not only to make sure that we can address the situation if Ransomware happens, but we need to spend much more effort making sure that it does not get through in the first place.

How prepared is your environment for these new threats?  Contact Pure IT Credit Union Services to start your assessment today!