The U.S. Department of Health and Human Services (“HHS”) recently issued a “Fact Sheet” which discusses ransomware attack prevention and recovery under HIPAA, as well as the management of HIPAA breach notification procedures in response to a ransomware attack. According to the Fact Sheet, “ransomware” is a type of malicious software by which a hacker gains access to electronic data and then encrypts it with a key known only to the hacker, such that the data owner is denied access to it. The Fact Sheet provides helpful descriptions and specific examples of how the requirements of the security regulations under HIPAA (the “Security Rules”), which govern the confidentiality of a HIPAA covered entity’s electronic protected health information (“EPHI”), may be applied to prevent, detect, and recover from infections of EPHI by ransomware. Importantly, the Fact Sheet also explains HHS’s view that a ransomware infection of unsecured EPHI on a computer system that is maintained for a covered entity, such as an employer-provided group health plan, is generally considered to be a “breach” under the Security Rules. This is because the EPHI encrypted by the ransomware was acquired (i.e., taken control of) by an unauthorized individual, and thus an impermissible disclosure under HIPAA has occurred.
The Fact Sheet reports there have been 4,000 daily ransomware attacks since early 2016 (a 300 percent increase over the number reported in 2015). In light of these sobering statistics, employers that sponsor group health plans that are covered entities under HIPAA would be well-advised to review the Fact Sheet and carefully consider this guidance when developing or maintaining compliance with the Security Rules.
A copy of the Fact Sheet is available here.