Following a recent U.S. government interagency report indicating that, on average, there has been an alarming 300 percent spike in daily ransomware attacks since early 2016 as compared with 2015, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) released new Health Insurance Portability and Accountability Act (“HIPAA”) guidance on ransomware. In addition to OCR’s guidance, the Secretary of HHS sent a letter to chief executive officers of companies in the health care sector stressing the importance of robust security compliance to combat ransomware attacks.

Ransomware, as explained by OCR, is a type of malware (i.e., malicious software) that most often attempts to deny access to a user’s data, usually by encrypting the data, until a ransom is paid. Hackers may also deploy ransomware in conjunction with other malware that destroys or transfers data from the infected information system. Indicators of a ransomware attack could include, for example, an inability to access certain files, or a user’s realization that a link or file attachment that was opened may have been malicious in nature.

OCR’s guidance outlines ransomware attack-prevention and recovery from a health care industry perspective, including the role that HIPAA has in assisting HIPAA-covered entities and business associates to thwart and, if necessary, recover from ransomware attacks. The guidance also highlights how the minimum security measures required by HIPAA help covered entities and business associates to prevent infections of malware, and explains how HIPAA breach-notification processes should be managed in the event of a ransomware attack.

Specifically, the guidance provides steps for key security measures and processes for HIPAA-covered entities and business associates to consider in ransomware prevention, immediate response to a ransomware attack, and activities undertaken subsequent to a security incident:

Prevention

  • Implement a security management process, including a risk analysis identifying threats and vulnerabilities
  • Adopt procedures to guard against and detect malicious software
  • Train users on malicious software protection for easy detection and quick response
  • Limit access to data by implementing access controls

Immediate Response

  • Conduct an initial analysis of the ransomware (i.e., identify the scope, origination, and current active or inactive status of the ransomware)
  • Contain the impact and growth of the attack
  • Eradicate the instances of ransomware
  • Mitigate or remediate vulnerability that permitted the attack
  • Restore data lost during the attack

Post-incident Analysis

  • Consider any regulatory, contractual or other obligations as a result of the incident (e.g., providing notification of breach of protected health information)
  • Incorporate lessons learned from the attack into the security management process

In a gloomy climate of rapidly growing ransomware attacks, it is imperative that HIPAA-covered entities and business associates review policies and procedures in place to prevent and respond to cybersecurity threats. OCR’s guidance on ransomware attacks in particular is an important tool in conducting this review, and may have a substantive impact on HIPAA compliance, and on the security of health care sector information in the future.