Myth busted: You can't sweep ransomware attacks under the rug
Partner Steve Gravely is quoted in a Healthcare IT News story titled, “Myth busted: You can't sweep ransomware attacks under the rug.” Gravely is quoted multiple times in the article, saying, “OCR guidance is very clear on what the HIPAA Breach Notification Rule requires in the event of a ransomware attack. I don’t think that there is any ambiguity in the OCR guidance.” Gravely also speaks to the common misconception that hackers won’t have access to patient records during such attacks. He says, “By definition, the ransomware attacker has obtained unauthorized access to the PHI by the act of encrypting it. In many instances, the attacker retains the data and sells it on the black market even if the ransom is paid and access to the target system is restored. These are the reasons why OCR guidance advises that any ransomware attack is presumed to be a reportable breach.” |