“The FBI has reported an increase in ransomware attacks and media have reported a number of ransomware attacks on hospitals” and as a result the Office for Civil Rights (OCR) for the US Department of Health & Human Services (HHS) issued a Fact Sheet and report on July 11, 2016 entitled “Your Money or Your PHI: New Guidance on Ransomware.” The OCR made it clear that if the Covered Entity properly encrypts the ePHI (electronic Protected Health Information) then the Ransomware cannot really create any threat of HIPAA violation which was explained in answering Question #8 entitled “Is it a reportable breach if the ePHI encrypted by the ransomware was already encrypted to comply with HIPAA?” as follows assuming the ePHI is:
…encrypted by the entity in a manner consistent with the Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals such that it is no longer “unsecured PHI,” then the entity is not required to conduct a risk assessment to determine if there is a low probability of compromise, and breach notification is not required.
The OCR Fact Sheet explained the rules regarding Ransomware for HIPAA concerning these 8 questions:
- What is ransomware?
- Can HIPAA compliance help covered entities and business associates prevent infections of malware, including ransomware?
- Can HIPAA compliance help covered entities and business associates recover from infections of malware, including ransomware?
- How can covered entities or business associates detect if their computer systems are infected with ransomware?
- What should covered entities or business associates do if their computer systems are infected with ransomware?
- Is it a HIPAA breach if ransomware infects a covered entity’s or business associate’s computer system?
- How can covered entities or business associates demonstrate “…that there is a low probability that the PHI has been compromised” such that breach notification would not be required?
- Is it a reportable breach if the ePHI encrypted by the ransomware was already encrypted to comply with HIPAA?
SC Magazine reported that the OCR issued the Ransomware guidelines as a result of a June 2016 letter request of US Representatives Ted Lieu (California) and Will Hurd (Texas) urging HHS “to develop ransomware guidelines.”