Beware of Ransomware: New Guidance on Ransomware and HIPAA


By: Amy Bender
As hackers have become more sophisticated and creative, so have the tools they use to compromise computer and data systems. One such tool is ransomware, which is a type of malware that, as its name implies, encrypts or otherwise denies access to data and requires a ransom, usually in the form of cryptocurrency such as Bitcoin, to obtain the decryption key. This type of cyberattack potentially can have serious consequences in the medical and dental fields, where patient information is increasingly (and sometimes only) stored electronically.
In response to this growing threat, the Department of Health and Human Services’ Office of Civil Rights recently issued a Fact Sheet (available here) on how covered entities and business associates should prevent, detect, respond to, and recover from a ransomware infection in compliance with the HIPAA Privacy and Security Rules. According to the guidance, a ransomware is considered a “security incident” under the HIPAA Security Rule that triggers security incident and response and reporting procedures. This signals a shift in enforcement and further shows the expanding reach of the OCR, as discussed previously in our blog (available here). Ransomware traditionally has not been considered a data breach since there is no actual access to or disclosure of information by an unauthorized user (the hacker) – rather, it simply encrypts the data so that the user no longer can access it. Now, however, the OCR is changing this analysis by taking the position that encryption is equivalent to an “unauthorized access” and, thus, is a data breach. As the Fact Sheet explains, “When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a ‘disclosure’ not permitted under the HIPAA Privacy Rule.”
Because the encryption of ePHI by ransomware is now considered to be a form of “unauthorized access,” covered entities and business associates who are the subject of a ransomware attack must determine whether the attack is a HIPAA breach that triggers reporting obligations to consumers, OCR, and the media. Significantly, under the Data Breach Notification Rule, whenever an unauthorized access or disclosure occurs, the covered entity must presume that a breach has occurred, thus requiring notice, unless the entity can demonstrate through a documented risk assessment that there is a low probability that ePHI has been compromised based on the following four factors:
• The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
• The unauthorized person who used the PHI or to whom the disclosure was made;
• Whether the PHI was actually acquired or viewed; and
• The extent to which the risk to the PHI has been mitigated.
The entity also must maintain supporting documentation of its actions and conclusion.
Since covered entities and business associates have the burden of proof, it is critical that they not only act quickly once faced with a ransomware attack, but also be prepared for such an attack on the front end, such as by implementing security measures and data backup procedures. In addition, a covered entity that experiences a ransomware attack no longer rely can on the traditional assumption that it is not a data breach that requires notice. Instead, the new guidance places additional burdens on the covered entity to conduct a thorough analysis of the ransomware attack, potentially through the retention of a computer forensics provider, to determine facts such as how the attack occurred, what variant of ransomware was involved, and whether there was any exfiltration of data. The covered entity then must use that information to conduct a written risk assessment under the factors outlined above to make a good-faith decision about whether any ePHI was compromised and whether notice is required under the Data Breach Notification Rule.
If your organization experiences a ransomware attack, our Cyber Liability, Data Security & Privacy team is available to assist you in each step of the way.