Include Ransomware in Your Next Risk Analysis: HIPAA & HITECH Act Blog by Jonathan P. Tomes with Guest Commentator Alice M. McCart, J.D.

JonTomesAlice picReliable backup of data is crucial to your operations. In addition to other risks, such as power spikes or outages, fire, flood, or other natural disaster, viruses, hackers, and improper acts by employees and others, your electronic system faces a major risk from so-called ransomware.
Ransomware is a type of malware that restricts access to the infected computer system and demands that the user pay a ransom to the malware operators to remove the restriction. The most common form of the attack has ransomware encrypt files on the system’s hard drive, which becomes difficult or impossible to decrypt without paying the ransom for the decryption key. Other attacks may simply lock the system and display messages intended to coax the user into paying. Ransomware typically propagates as a so-called Trojan horse whose payload is disguised as a seemingly legitimate file.
Even if the victim pays the ransom, no guarantee exists that the malware attacker will provide the decryption key or unlock the system. Losing access to the data as a result of ransomware could have catastrophic effects on your organization and your patients/clients. No one method can completely protect your organization and your patients/clients from ransomware.
The best protection from ransomware is a good backup plan. The only way to devise a good backup plan is to include a thorough discussion of ransomware in your Risk Analysis. Your Risk Analysis Team, which must include your IT folks, should be able to (1) assign the research tasks to assess the threat, (2) figure out what security measures would be reasonable and appropriate for your organization, (3) work out a plan for preventing/responding to ransomware attacks, (4) draft an appropriate policy and procedure for your organization, and (5) help train your workforce on that policy and procedure.
To help you get started drafting such a policy, Jon Tomes has written a template for you. It is available in the Premium Member section of the Veterans Press website. If you have trouble logging on, please contact our IT wizard at websupport@wccit.com. If you want to read more about ransomware and missed Jon’s blog item on it earlier this year, you can read it here.
Also, as an aside, consider signing up for the HIPAA webinar that Jon Tomes is presenting through MentorHealth on Thursday, June 9, 2016, at noon Central time, on How to Handle Breaches, Complaints, and Investigations. And you may want to sign up for my webinar through MentorHealth on Thursday, June 23, 2016, at noon Central time, on how to write HIPAA policies and procedures.

seo by: k.c. seo