One of the fastest growing areas of cybercrime is ransomware. Ransomware is a type of malicious software that encrypts data and makes it inaccessible to authorized users. The hackers who orchestrate ransomware attacks demand that authorized users pay a ransom in order to obtain the key to decrypt their data. Payment is generally required to be paid in bitcoin (or other forms of cryptocurrency) in order to maintain anonymity.

In an effort to combat the proliferation of ransomware attacks, the Office for Civil Rights (“OCR”) has released guidance on ransomware attack prevention and recovery from a healthcare entity’s perspective. OCR’s guidance includes a discussion on the role of the Health Insurance Portability and Accountability Act (“HIPAA”) in assisting covered entities and business associates to prevent ransomware attacks, recover from ransomware attacks, and how HIPAA breach notification should be handled in response to ransomware attacks. Portions of OCR’s guidance, along with commentary, are summarized below.

(1) How HIPAA compliance can help covered entities and business associates prevent ransomware attacks.

The HIPAA Security Rule (“Security Rule”) establishes national standards to protect individuals’ electronic protected health information (“ePHI”) that is created, received, used or maintained by a covered entity or a business associate.

The Security Rule requires covered entities and business associates to:

  • Conduct a risk analysis to identify vulnerabilities to ePHI and establish security measures to mitigate or remediate these risks. If a covered entity or business associate diligently conducts and updates its risk analysis, there will be fewer vulnerabilities in the system and less of an opportunity for malicious malware, like ransomware, to infiltrate the system.
  • Train authorized users on detecting malicious software and the reporting procedures if malicious software is identified. An employee opening an innocent looking email is the simplest and most common way that a cyberattack begins. Therefore, better trained employees can decrease an organization’s risk of a ransomware attack.
  • Implement access controls to limit access to ePHI to only those persons or software programs requiring access.

(2) How HIPAA compliance can help covered entities and business associates recover from a ransomware attack.

When responding to a ransomware attack, a covered entity or business associate likely will need to activate its contingency plan. Under the Security Rule, a contingency plan will include:

  • a data backup plan;
  • disaster recovery planning;
  • emergency operations planning;
  • analyzing the criticality of applications and data to ensure all necessary applications and data are accounted for; and
  • periodic testing of contingency plans to ensure organizational readiness to execute such plans and provide confidence they will be effective.

In addition, a covered entity or business associate must have security incident procedures, including procedures for responding to and reporting security incidents. Security incident procedures should include processes to:

  • detect and conduct an initial analysis of the ransomware;
  • contain the impact and propagation of the ransomware;
  • eradicate the instances of ransomware and mitigate or remediate vulnerabilities that permitted the ransomware attack and propagation;
  • recover from the ransomware attack by restoring data lost during the attack and returning to “business as usual” operations; and
  • conduct post-incident activities, which could include a deeper analysis of the evidence to determine if the entity has any regulatory, contractual or other obligations as a result of the incident (such as providing notification of a breach of protected health information), and incorporating any lessons learned into the overall security management.A covered entity or business associate with a robust contingency plan and well-thought-out security incident procedures will minimize the cessation of healthcare activities, and limit the potential financial and reputational harm caused by a ransomware attack.

(3) How HIPAA breach notification should be handled in response to a ransomware attack

Under HIPAA, any impermissible use or disclosure of ePHI is presumed to be a breach unless there is a low probability that the ePHI has been compromised. Whether there is a low probability that ePHI has been compromised is assessed through a risk assessment. In a risk assessment, the victim of a ransomware attack assesses:

  • The nature and extent of the ePHI involved, including the types of identifiers and the likelihood of re-identification;
  • The unauthorized person who had access to or used the ePHI or to whom the disclosure was made;
  • Whether the ePHI was actually acquired or viewed; and
  • The extent to which the risk to the ePHI has been mitigated.

In addition, OCR recommends that hacked covered entities or business associates consider a number of additional factors to evaluate whether their ePHI has been compromised, including if there is a high risk of unavailability of the data, or a high risk to the integrity of the data.

If a covered entity or business associate can demonstrate that there is a low probability that ePHI has been compromised, the covered entity or business associate must maintain supporting documentation sufficient to demonstrate that low probability.

If a covered entity or business associate cannot demonstrate that there is a low probability that ePHI has been compromised, the covered entity or business associate must follow HIPAA reporting requirements. The covered entity must notify those individuals whose information has been breached, the Secretary of the Department of Health and Human Services, and potentially, the media.

To read the OCR guidance, click here.