On average, there have been 4,000 daily ransomware attacks since early 2016, an increase of 300% from the 1,000 daily ransomware attacks reported in 2015.1 Health and Human Services Office for Civil Rights (HHS OCR) has released a fact sheet, stating that implementing HIPAA standards in your organization will help defend against malicious software (malware) attacks like the WannaCry ransomware.
A summary of the eight-page Fact Sheet: Ransomware and HIPAAÂ is provided by our Total HIPAA team. HHS OCR explains eight (8) key questions when dealing with ransomware and electronic protected health information (ePHI) safety.2
1. What is ransomware?
Ransomware is a type of malware that attempts to deny access to a user’s data, typically by encrypting the data with a key known only to the hacker until a ransom is paid. Then the ransomware directs the user to pay a ransom to the hacker in order to receive a decryption key. However, hackers may deploy ransomware that also destroys or extracts data.
2. Can HIPAA compliance help covered entities and business associates prevent infections of malware, including ransomware?
Yes. The HIPAA Security Rule requires implementation of security measures that can help prevent the introduction of malware, including ransomware. The Security Rule establishes minimum requirements, for the security of ePHI (45 CFR 164.308 (a)(1)(i)). Entities are encouraged to implement additional and/or more stringent security measures.
3. Can HIPAA compliance help covered entities and business associates recover from infections of malware, including ransomware?
Yes. The HIPAA Security Rule requires covered entities and business associates to implement policies and procedures that can assist an entity in responding to and recovering from a ransomware attack.
Because ransomware denies access to data, maintaining frequent backups and ensuring the ability to recover data from backups is crucial to recovering from a ransomware attack. Test restorations should be periodically conducted to verify the integrity of backed up data and provide confidence in an organization’s data restoration capabilities. Because some ransomware variants have been known to remove or otherwise disrupt online backups, entities should consider maintaining backups offline and unavailable from their networks.
When responding to a ransomware attack, an entity may find it necessary to activate its contingency or business continuity plans. Once activated, an entity will be able to continue its business operations while continuing to respond to and recover from a ransomware attack.
4. How can covered entities or business associates detect if their computer systems are infected with ransomware?
HIPAA’s requirement that an entity’s workforce receives appropriate security training, including training for detecting and reporting instances of malware, can assist entities in preparing their staff to detect and respond to ransomware.
If an entity believes that a ransomware attack is underway, it should immediately activate its security incident response plan, which should include measures to isolate the infected computer systems in order to halt further generation of the attack.
5. What should covered entities, or business associates or business associate subcontractors do if their computer systems are infected with ransomware?
Once ransomware is detected, the organization must initiate its security incident and response and reporting procedures (45 C.F.R. 164.308(a)(6)). These procedures should assist your organization in prioritizing subsequent incident response activities and serve as a foundation for conducting further analysis of the incident and its impact.
6. Is it a HIPAA breach if ransomware infects a covered entity’s or business associate’s computer system?
Whether or not the presence of ransomware would be a breach under HIPAA is based on specific facts. A breach of the rules is defined as the acquisition, access, use, or disclosure of ePHI in a manner not permitted under HIPAA which compromises the security or privacy of ePHI (45 C.F.R. 164.402). When ePHI is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired by an unauthorized user, and is a disclosure not permitted under HIPAA.
Unless your organization can demonstrate that there is a low probability that ePHI has been compromised based on the factors set forth in the Breach Notification Rule, a breach of PHI is presumed to have occurred. The entity must then comply with the applicable breach notification provisions, in accordance with HIPAA breach notification requirements (45 C.F.R. 164.400-414).
7. How can covered entities or business associates demonstrate… that there is a low probability that the PHI has been compromised such that breach notification would not be required?
To demonstrate that there is a low probability that ePHI has been compromised because of a breach, a risk analysis considering at least the following four (4) factors must be conducted (45 C.F.R. 164.402(2)):
- The nature and extent of the ePHI involved, including the types of identifiers and the likelihood of re-identification;
- The unauthorized person who used the ePHI or to whom the disclosure was made;
- Whether the ePHI was actually acquired or viewed; and
- The extent to which the risk to the ePHI has been mitigated.
A thorough and accurate evaluation of the evidence acquired and analyzed as a result of security incident response activities could help entities with the risk assessment process.
8. Is it a reportable breach if the ePHI encrypted by the ransomware was already encrypted to comply with HIPAA?
If the ePHI is encrypted by the entity in a manner consistent with the Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals such that it is no longer unsecured ePHI, then the entity is not required to conduct a risk analysis to determine if there is a low probability of compromise, and breach notification is not required.3
For example, if a laptop encrypted with a full disk encryption solution in a manner consistent with HHS guidance is properly shut down and powered off and then lost or stolen, the data on the laptop would be unreadable, unusable and indecipherable to anyone other than the authenticated user. So then an entity would not need to perform a risk assessment or provide breach notification. But if the laptop is powered on and in use by an authenticated user, who then clicks on a link to a malicious website or opens an attachment from a phishing email that infects the laptop with ransomware, there could be a breach of ePHI.
The complete HHS document can be read at Fact Sheet: Ransomware and HIPAA. Download a checklist of security tasks to guide you through the process of protecting your organization; provide the following information:
HIPAA Security Rule Compliance Checklist
A checklist of key items that require implementation in order to be compliant with the HIPAA Security Rule
