In 2016, more than 4000 ransomware or other malware attacks are occurring daily, a 300% increase since 2015. There have been reports of six hospitals that have been victims of ransomware in 2016. Ransomware is a type of malicious software used by cyber actors to deny access to an entity’s systems and/or data. Ransomware may spread to shared storage drives and other systems. The systems and data are held hostage until a ransom is paid.

Ransomware is more disruptive and debilitating than other criminal cyber threats because it can:

Click here to view table.

The presence of ransomware on a computer of a covered entity or business associate is a security incident under the HIPAA Security Rule, and appropriate measures must be taken to respond. A risk assessment must be performed to determine whether there was a reportable breach of EPHI as a result of the ransomware attack. If EPHI is encrypted as a result of the ransomware attack, the Office for Civil Rights (OCR) considers this to be a breach because the attackers have taken control of the EPHI. If the EPHI was encrypted by the covered entity/business associate in a manner consistent with the Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals1, then most likely a breach did not occur unless there was a failure of the encryption solution based on a factual analysis of the event.Cyber attackers enter the organization’s system by tricking a user to disclose a password or to click on a virus-laden email attachment. They also are seeding legitimate websites with malicious codes, taking advantage of unpatched software on an organization’s computers.

A new fact sheet, “Ransomware and HIPAA2” released by the OCR emphasizes that covered entities/business associates are required to implement appropriate security measures to reduce the risks to EPHI by the introduction of malware, including ransomware. As part of the required HIPAA Security Rule Risk Assessment, covered entities/business associates must identify the potential risks to their EPHI and what measures will be implemented to address the vulnerabilities. As an example, although there is not a HIPAA regulation that specifically requires covered entities/business associates to update the firmware of network devices, entities should identify and address the risks to EPHI of using network devices running on obsolete firmware, especially when firmware updates are available to remediate known security vulnerabilities.

Because prevention and early detection are the best defenses against ransomware, as part of the required security awareness training, include information specifically focused on ransomware such as:

Never click unsolicited links or open unsolicited attachments

Require immediate reporting of suspicion 24/7 to designated person

Indicators of ransomware: link clicked on/attachment opened that appears malicious; increased activity in computer central processing unit; inability to access files