The recent WannaCry ransomware attacks, which shut down the National Health System (NHS) in the UK and
How does this affect you?
paralyzed cyber activity in more than 150
countries around the globe, should have been
an eye opener for all healthcare orga-
nizations, especially in the U.S.A.
The National Institute of Standards
and Technology (NIST) set up guide-
lines to help organizations manage
risk, that is, how to prevent (as far
as possible), detect, and respond
to cyberattacks like ransomware
attacks. It is noteworthy that these
guidelines are “based on existing standards,
guidelines, and practices.” The document fur-
ther noted that, “Cyberattacks on information
systems today are often aggressive, disci-
plined, well-organized, well-funded, and…
Since all healthcare entities, both individuals
and organizations, come under the purview of
HIPAA Omnibus Rule, Security Rule, Privacy
Rule, HITECH, and other related regulations,
they must ensure cybersecurity to defend all
electronic protected health information (ePHI)
created, stored, managed, and transmitted
by them against attacks and breaches. This
indicates that there are certain administrative, technical, and physical safeguards they
In a guidance published by the Office for
Civil Rights (OCR) in 2010, it acknowledged
that although “only federal agencies are
required to follow guidelines set by NIST, the
guidelines represent the industry standard for
good business practices with respect to standards for securing e-PHI.”
Prevention is better than cure
The WannaCry malware attacked a vulnerability in an operating system for which
by Amit Sarkar
Healthcare organizations must
heed NIST guidelines for
» Every organization — healthcare or governmental — is vulnerable to cyberattacks.
» Cybersecurity is vital to protect electronic protected health information (ePHI).
» “Be prepared!” is more than a Boy Scout motto.
» IT has a major role to play to institute technical safeguards.
» Budget for human error and plain theft.
Amit Sarkar ( email@example.com) is Head of Compliance and
President and CEO of HIPAA Institute in Durham, NC.