Ransomware is malicious software that denies access to data, usually by encrypting the data with a private encryption key that is only provided once a ransom is paid. Sometimes the ransomware will actually destroy, steal, or export data from information systems.
Ransomware has become a significant threat to all U.S. businesses and individuals, and a particularly dangerous threat to those in health care. Ransomware victims are not only at risk of losing their files or suffering from a data breach, but may also experience financial loss due to paying the ransom, loss of productivity, IT services, legal fees, network countermeasures, and the purchase of credit monitoring services for employees or customers if their information was referenced in the encrypted files. In health care, the consequences can be far more serious— protected health information can be lost, destroyed, or shared with malicious actors, patient treatment can be delayed, and lives could even be lost as a result of systems being locked down by malicious actors.
Due to the significant uptick of ransomware attacks and its particularly powerful threat to the health care industry, The Federal Health and Human Services Department (HHS) issued a fact sheet, available here, that provides guidance on ransomware issues and notes that hospitals and doctor offices may be required to notify HHS if they are a victim of ransomware. As it notes, “The presence of ransomware (or any malware) on a covered entity’s or business associate’s computer systems is a security incident under the HIPAA Security Rule. . . . Once the ransomware is detected, the covered entity or business associate must initiate its security incident and response and reporting procedures. See 45 C.F.R. 164.308(a)(6).”