A growing threat to the privacy of health information is the use of "ransomware" to attack hospitals’ and other health care organizations’ electronic health records systems. These attacks have increased dramatically in 2016 and now represent the fastest-growing malware threat in the US, according to the FBI. In response, the Office for Civil Rights of the U.S. Department of Health and Human Services has released new guidance to health care entities on how to address ransomware attacks.

What Is Ransomware?

Ransomware is a kind of malicious software that encrypts data already on someone else's computer, so that it would be readable only by the party that sent the ransomware. After the ransomware has completed its task, it directs the computer's owner to pay a ransom to the sender in exchange for a "key" that will decrypt the data. Ransomware is often delivered through infected websites or through spam and phishing email messages, activating when a user follows a link or opens the attachment.

Must Ransomware Attacks Be Reported as Security Breaches?

The rules issued under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) generally require a health care organization to report a breach of unsecured health information to patients, the Department of Health and Human Services, and in some cases the media. The Office for Civil Rights has indicated that the encryption of unsecured health information by ransomware is a security incident and is presumed to be a reportable breach, unless the entity can demonstrate and document that there is low probability that the health information was compromised. The rationale is that through the attack, the sender of ransomware takes control of the unsecured information, which is an unauthorized disclosure that is not permitted by the HIPAA rules.

The guidance from the Office for Civil Rights sets out how to conduct a risk assessment to determine the probability that the unsecured data were compromised, adding additional possible factors specifically for ransomware to those already given in the HIPAA rules.

The guidance also addresses ransomware attacks on secured health information. If the data had been secured in accordance with previous guidance issued by the U.S. Department of Health and Human Services a breach would normally not be reportable. However, the circumstances of both the victim’s encryption solution and the particular ransomware attack could render those data transparently decrypted, giving rise to reporting obligations.

Could a Randsomware Attack Give Rise to Other HIPAA Sanctions?

In addition to urging that entities having infected systems not pay ransoms, the new guidance highlights activities currently required under HIPAA that can help prevent, detect, contain, and respond to ransomware attacks. A health care provider could be found to have violated the HIPAA rules for failure to carry out such activities, such as:

  • conducting a risk analysis to identify threats to electronic health information,
  • establishing a plan to mitigate identified risks,
  • implementing procedures to safeguard against malicious software,
  • training users to detect and report malicious software infections,
  • limiting access to electronic health information to only those people requiring access, and
  • maintaining an overall contingency plan that includes disaster recovery, emergency operations, frequent data backups, and test restorations.

For example, in December 2015, a health care provider entered into a settlement agreement with the Office for Civil Rights that included a $750,000 fine, as a result of an employee's downloading an email attachment containing malware.

For health care organizations, due to the heightened sensitivity of the information that they hold and the security and reporting requirements to which they are subject, more is at stake in a ransomware attack than simply using a backup to recover the data that were encrypted and then resuming normal operations. Therefore, health care organizations should carefully evaluate the effectiveness of their procedures for preventing and responding to a ransomware attack.