Ransomware is a form of malicious software (usually known as a malware) that targets critical data and systems to extort payment for restoring the targeted data or system. After locking the user out of their system, the perpetrator or the hacker demands a ransom payment to restore the data, failing which, the data will get deleted or permanently encrypted. When the user sends the ransom, the hacker provides the user the key to regain or access the data. Ransomware frequently infects systems and devices through spam and phishing messages, email attachments and websites, and enters the computer through malicious links or attachments.
Ransomware also poses a threat to the healthcare industry because it can block access to electronic records, which will disrupt patient care. With increasing attacks and threats to healthcare records, lawmakers pushed the U.S. Department of Health & Human Services (HHS) to issue guidance on ransomware cybersecurity attacks particularly about reporting attacks and whether these attacks are considered to be a Health Insurance Portability and Accountability Act (HIPAA) violation.
Ransomware attacks are considered to be a breach of HIPAA compliance. The Office for Civil Rights (OCR), on July 11, 2016, issued guidance on handling ransomware attacks under HIPAA. The guidance discusses how HIPAA’s security requirements can help organizations in preventing, detecting, and recovering from these ransomware attacks. According to the OCR guidance, if ransomware is present on a computer system, it is a security incident, under the HIPAA Security Rule; therefore, the entity impacted must initiate security incident, and response and reporting procedures. Also, the OCR guidance addresses whether a ransomware attack is considered to be a breach of HIPAA compliance.
A breach, as defined by the HIPAA Rules, is the access, acquisition, disclosure, or use of Protected Health Information (PHI) in a manner that is not permitted under the HIPPA Privacy Rule, which constitutes the security or privacy of the PHI. Pursuant to the HIPAA Rule, it is presumed that a breach has taken place unless the entity suffering the ransomware attack can show that there is a low probability of the PHI being compromised. Such determination can be made if the entity performs a risk assessment considering the following factors:
- The nature and extent of the PHI involved.
- The unauthorized entity who used the PHI or the person to whom disclosure was made.
- Whether the PHI was actually acquired or viewed.
- The extent to which the risk to the PHI has been mitigated.
In cases where the Electronic PHI (ePHI) gets encrypted from a ransomware attack, a breach has occurred because the encrypted ePHI was accessed, which is an impermissible disclosure under the HIPAA Rule. The organization or the entity should then comply with the notification provisions applicable under the HIPAA Rule, which includes notifying the individuals affected, the Secretary of HHS, and the media (if more than 500 individuals are affected).
Organizations must take efficient steps to ensure that their data is safe from ransomware attacks. For more insights on ransomware attack prevention, attend this HIPAA Compliance Virtual Boot Camp 2017, by expert speaker, Jim Sheldon-Dean. Jim is the founder and director of compliance services at Lewis Creek Systems, LLC, a Vermont-based consulting firm founded in 1982, providing information privacy and security regulatory compliance services to a wide variety of health care entities. During the session, you will learn how HIPAA breach notification processes should be managed in response to a Ransomware attack.
JIm,
Many thanks for posting on this very bot topic. You wrote:
“In cases where the Electronic PHI (ePHI) gets encrypted from a ransomware attack, a breach has occurred because the encrypted ePHI was accessed, which is an impermissible disclosure under the HIPAA Rule. The organization or the entity should then comply with the notification provisions applicable under the HIPAA Rule, which includes notifying the individuals affected, the Secretary of HHS, and the media (if more than 500 individuals are affected).”
Consistent with the guidance described earlier in your posting, the organization (let’s assume a CE in this case) would be in the position to either treat the security incident as a breach and move forward with the notifications requirements or it could also opt to perform a risk assessment to determine if a breach occurred. Correct?