Ransomware attacks appear to be increasing in frequency as well as severity. Ransomware is malicious software that encrypts data until a ransom is paid to the hacker. For healthcare providers, the inability to access electronic health records systems due to a ransomware attack is a disaster scenario. While the decision whether to pay a ransom likely will continue to plague providers who are attacked, there is new guidance from the Department of Health and Human Services Office for Civil Rights (OCR) on how to handle ransomware attacks under the Health Insurance Portability and Accountability Act (HIPAA).
The new OCR guidance explains how the security requirements under HIPAA can assist in preventing, detecting and recovering from ransomware attacks. Most importantly, OCR states that these attacks constitute “breaches” under HIPAA. OCR explains how covered entities and business associates should manage the breach notification process under HIPAA in the event that a ransomware attack occurs.
Preventing Ransomware Attacks
HIPAA’s Security Rule contains standards and requirements for all covered entities and business associates to evaluate and address vulnerabilities in their information systems to prevent unauthorized access to electronic protected health information (ePHI). OCR’s guidance explains that organizations may prevent ransomware attacks or lessen their severity by complying with the HIPAA security requirements, including conducting a risk analysis of vulnerabilities, implementing procedures to guard against and detect malware, training users on malware protection, and limiting access to ePHI to only persons or software programs requiring access.
Detecting Ransomware Attacks
The OCR guidance provides a list of several indicators of a ransomware attack. OCR notes that appropriately training employees on these indicators can assist organizations in detecting the ransomware. The HIPAA Security Rule requires covered entities and business associates to train their workforces on security procedures, including detection of unauthorized activity.
Recovering from Ransomware Attacks
Compliance with the HIPAA Security Rule standards can also help organizations recover from a ransomware attack. The Security Rule requires organizations to implement plans for responding to security incidents, including malware attacks. Such plans should incorporate procedures to isolate infected computer systems and prevent ransomware from spreading. Response plans should also include processes to analyze ransomware, contain its impact, eradicate the ransomware and remediate the vulnerabilities that allowed the ransomware attack. OCR emphasizes that frequent data backups and ensuring the ability to recover data from such backups will facilitate recovery from an attack. OCR also encourages organizations to periodically conduct data restoration tests and maintain backups offline, away from the networks where data are stored.
Breach Analysis and Notification
As with any unauthorized access of health information, covered entities and business associates must conduct an analysis of a ransomware attack to determine whether it constitutes a “breach” under HIPAA. OCR confirms that ransomware attacks constitute a breach, because unauthorized individuals have taken possession or control of the ePHI, constituting an unauthorized disclosure. It is presumed that a breach occurred unless the organization can demonstrate that there is a low probability that the ePHI has been compromised, based on several factors set forth in the HIPAA breach notification rule, and the organization must follow the notification processes required by HIPAA. The OCR guidance notes, however, that the HIPAA breach notification requirements apply only to “unsecured PHI.” Thus, if the ePHI that is targeted in a ransomware attack is encrypted in a manner consistent with HIPAA guidelines, the breach notification safe harbor may apply. As OCR noted, this determination is fact-specific.
OCR emphasizes throughout the new guidance that security measures, risk analyses and breach analyses vary depending on an organization’s individual infrastructure and the specific facts of a potential breach, including ransomware attacks.