On July 11, 2016, the HHS Office for Civil Rights (OCR) released new Health Insurance Portability and Accountability Act (HIPAA) guidance (Guidance) for hospitals and other healthcare providers on how to detect, prevent, and respond to ransomware infections. The Guidance clarifies that when electronic protected health information (ePHI) on a covered entity’s or business associate’s information system has been encrypted by a hacker, the entity has experienced a security incident under the HIPAA Security Rule and may have experienced a breach requiring notification pursuant to the HIPAA Breach Notification Rule. However, covered entities and business associates subjected to ransomware attacks may avoid breach notification if they can demonstrate, following a fact-specific inquiry, that there is a “low probability” that the ePHI has been compromised.

Issued in the wake of repeated reports of ransomware attacks on U.S. hospitals and healthcare providers during the first half of 2016, the Guidance cites a recent U.S. Government interagency report which notes a 300% increase in ransomware attacks since 2015, and on average, about 4,000 such attacks a day.[1] Hollywood Presbyterian Medical Center in California experienced such an attack in February, when its computer systems were locked up by ransomware for several weeks. The medical center ultimately paid a $17,000 ransom in bitcoin in order to obtain the decryption key. MedStar Health, a network of Maryland hospitals, suffered a ransomware attack in March; as a result, it turned away or treated patients without important computer records. In May, Kansas Heart Hospital announced that it also had paid a ransom for the return of its encrypted data, but it refused to pay a second ransom that was then demanded by the hackers to decrypt the data.

Security Incident or Breach?

The Guidance specifically notes that the presence of ransomware or any other form of malware on a covered entity’s or business associate’s information systems constitutes a security incident. The HIPAA Security Rule defines a security incident as “the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.”[2] The Security Rule requires covered entities and business associates to regularly review records of information system activity and security incidents and to respond to such incidents, mitigate harmful effects that may arise from such incidents, and document such incidents and their outcomes.[3]

The Security Rule also requires covered entities and businesses to “[e]nsure the confidentiality, integrity, and availability of all [ePHI] the covered entity or business associate creates, receives, maintains, or transmits.”[4] By removing an entity’s ability to access its ePHI unless and until a ransom is paid, ransomware unquestionably limits the availability—and it also may compromise both the confidentiality and integrity—of the affected ePHI.

But is a ransomware attack automatically a breach? And what if the ePHI has been encrypted by the covered entity or business associate before the ransomware attack?

  • HIPAA defines a breach as “the acquisition, access, use, or disclosure of [PHI] in a manner not permitted under the [HIPAA Privacy Rule] which compromises the security or privacy of the [PHI].”[5] OCR indicates that it is possible for a ransomware attack to qualify as a breach under the HIPAA Breach Notification Rule, because “[w]hen [ePHI] is encrypted as the result of a ransomware attack … the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and [such encryption] thus is a ‘disclosure’ not permitted under the HIPAA Privacy Rule.”[6]
  • However, if the covered entity or business associate can demonstrate a “low probability that the PHI has been comprised,” the entity may overcome the presumption that a breach has occurred. If the entity is able to show that only a low probability of compromise exists, it should thoroughly document the risk assessment. Alternatively, if a determination is made that the attack qualifies as a breach, the entity should first make all required breach notifications and then document that such notifications were made.[7]
  • ePHI that has been rendered unreadable, unusable, and indecipherable to unauthorized persons by use of a technology specified by the Secretary of HHS—including certain types of encryption—falls outside of the definition of “unsecured PHI.”[8] Because the HIPAA Breach Notification Rule requires breach notification only after the discovery of a breach of unsecured PHI, loss or theft of encrypted information generally has been considered not to require breach notification.[9] Having said this, where data has been encrypted by the covered entity or business associate before a ransomware attack, the Guidance indicates that further analysis is needed to verify whether the encryption solution, “as implemented, has rendered the affected PHI unreadable, unusable and indecipherable to unauthorized persons.”[10] The example given is a laptop encrypted with a full-disk encryption solution in accordance with HHS guidance, properly shut down, and then lost or stolen; in this instance, the data is not unsecured PHI, because it has been rendered unreadable, unusable, and indecipherable to anyone but the authenticated user. By contrast, if the authorized user, when using the same laptop, clicks on a link to a malicious website which infects the laptop with ransomware, the ransomware may be able to access the ePHI, in which event the ePHI is unsecured and breach reporting will be required.[11]

HIPAA Security Rule Compliance Can Prevent, Respond to, and Help Recover From Ransomware

The Guidance addresses how an entity may prevent a ransomware attack, recover from an incident, respond to such an attack, and train system users to recognize when an attack occurs. Compliance with the HIPAA Security Rule, which is required of all covered entities and business associates, can help prevent the introduction of ransomware to an entity’s computer systems. Although OCR encourages entities to implement even more stringent security measures than the threshold requirements outlined in the Security Rule,[12] at a minimum, covered entities must:

  • Implement a security management process, including conducting a risk analysis to identify threats and vulnerabilities to ePHI;
  • Implement procedures to guard against and detect malicious software;
  • Train computer system users on malicious software protection so they can detect and report such malicious software; and
  • Implement access controls to limit access to ePHI to only persons or software programs requiring access.[13]

Security Rule compliance will assist entities in recovering from an attack. For example, a data backup plan is a HIPAA requirement, as a part of an overall contingency plan.[14] OCR notes that when a covered entity maintains data backups, that entity can recover data from backups and continue operations without paying the attacker’s ransom. Because some malware has disrupted online backups, however, OCR recommends maintaining backups offline or apart from the entity’s network.[15]

Covered entities and business associates must implement robust security incident procedures specific to responding to ransomware attacks, including processes to:

  • Detect and conduct an initial analysis of the ransomware;
  • Limit the impact and propagation of the ransomware;
  • Eliminate the instances of ransomware and mitigate or remediate vulnerabilities that permitted the ransomware attack and propagation;
  • Recover from the ransomware attack by restoring data lost during the attack and returning to “business as usual” operations; and
  • Conduct post-incident activities, which could include a deeper analysis of the evidence to determine if any entity has any regulatory, contractual or other obligations as a result of the incident, and incorporating any lessons learned into the overall security management process of the entity to improve incident response effectiveness for future security incidents.[16]

HIPAA’s requirement that an entity’s workforce receive appropriate security training, “including training for detecting and reporting instances of malicious software,” also will aid covered entities and business associates in detecting a ransomware attack prior to being notified by hackers that the system is encrypted.[17] The Guidance notes that indicators of ransomware could include:

  • A user’s realization that a link that was clicked on, a file attachment opened, or a website visited may have been malicious in nature;
  • An increase in activity in the central processing unit (CPU) of a computer and disk activity for no apparent reason;
  • An inability to access certain files as the ransomware encrypts, deletes and re-names and/or re-locates data; and
  • Detection of suspicious network communications between the ransomware and the attackers’ command and control server(s).[18]

If any one of these indicators is present, and if an entity believes that a ransomware attack is underway, the entity should activate its security incident response plan, contact the FBI or U.S. Secret Service field office, and contact its legal, technical and forensic experts.[19]

Conclusion

The Guidance emphasizes that prevention of a ransomware attack is the best strategy, and the implementation of a response plan is crucial to meeting compliance deadlines, including breach notification. Covered entities and business associates should implement targeted employee training on ransomware at the earliest opportunity and consult with their privacy and information technology officers, as well as legal counsel, to prepare, implement, or assess their organizations’ readiness for a ransomware attack. Because entities can avoid breach notification by demonstrating that there is a “low probability that the PHI has been compromised,” covered entities and business associates should enlist as soon as possible the legal, technical, and forensic support necessary to assess, determine, and document instances where only such a “low probability” exists. Due to the time constraints set out in the Breach Notification Rule and related state breach notification laws, organizations should deploy these experts at the first indication of a ransomware attack.