On July 11, 2016, the Office of Civil Rights of the U.S. Department of Health and Human Services ("OCR") issued new guidance regarding malicious cyber-attacks generally and ransomware specifically (the "Guidance"). According to the Guidance, a U.S. Government interagency report indicates that, on average, there have been 4,000 daily ransomware attacks since early 2016. This represents a 300% increase over the 1,000 daily ransomware attacks reported in 2015. OCR views the exponential growth in ransomware attacks as a significant problem for covered entities and business associates. As a result, OCR issued Guidance for covered entities and business associates to review and follow.
Ransomware is a type of malware that attempts to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker who deployed the malware, until a ransom is paid. After the user’s data is encrypted by the ransomware, the ransomware directs the user to pay a ransom to the hacker in order to receive a decryption key.
Importantly, OCR takes the position that the presence of ransomware may be reportable as a HIPAA breach depending on the facts and circumstances even if the electronic protected health information ("ePHI") is encrypted. First, when ePHI is encrypted by the ransomware a breach has occurred because the ePHI was acquired in an unauthorized manner by unauthorized individuals, thus an unauthorized use or disclosure has occurred. Second, unless the covered entity or business associate can demonstrate that there is a "…low probability that the PHI has been compromised," a breach of PHI is presumed to have occurred. The entity must then comply with the applicable breach notification provisions, including notification to affected individuals without unreasonable delay, to the Secretary of Health and Human Services, and to the media (for breaches affecting over 500 individuals) in accordance with the HIPAA breach notification requirements.
OCR expects entities to comply with the Security Management Process standard of the Security Rule that requires all covered entities and business associates to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of the ePHI entities create, receive, maintain or transmit. OCR also expects covered entities and business associates to implement security measures sufficient to reduce identified risks and vulnerabilities to an appropriate level.
The Guidance is meant to educate covered entities and business associates of their responsibilities under HIPAA and to explain OCR's position relating to ransomware attacks. All covered entities and business associates should analyze the Guidance and conduct a risk analysis as soon as possible. The OCR Guidance can be viewed in its entirety here.