As outlined in its guidance available on its website, OCR presumes a breach in the case of ransomware attack.
The entity must determine whether such a breach is a reportable breach no later than 60 days after the entity knew or should have known of the breach. A request by law enforcement to hold reports tolls the 60-day reporting deadline. For a copy of the ransomware guidance, please see the Fact Sheet: Ransomware and HIPAA.
The ransomware guidance also includes important information about ransomware and how compliance with the HIPAA Security Rule helps entities prepare for ransomware attacks, including with regard to contingency planning. For more guidance on the Rule’s requirements, please see the Security Rule Guidance Material page.
OCR has shared its FAQ on sharing of cyber threat indicators under CISA with federal partners, and it is available on the OCR website.
Reporting information to law enforcement, DHS, or other HHS divisions does not constitute inadvertent or intentional reporting to OCR. All reporting of breaches to OCR should be made as required by the HIPAA Breach Notification Rule.
Important Note: If the data is not encrypted by the entity to at least NIST specifications when the ransomware attack is deployed, then OCR presumes a breach occurred, due to the ransomware attack. As such, the entity would need to prove, through forensic or other evidence, that the ePHI was encrypted when the attack occurred, and the ransomware containerized (or encrypted again) already-encrypted ePHI. Please see the Breach Notification Rule.
No comments:
Post a Comment