The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released its much-anticipated guidance on ransomware (OCR Ransomware Guidance) this week in response to a number of highly publicized attacks targeting the healthcare sector. Ransomware is a type of malicious software that encrypts data, making it inaccessible until the data owner pays a ransom. The OCR Ransomware Guidance describes how healthcare organizations can prevent such attacks and how such attacks may come within the ambit of HIPAA.

OCR takes the position that a ransomware attack will typically result in a breach of electronic protected health information (ePHI), triggering notification to affected individuals, OCR and, in some cases, the media.  Specifically, OCR notes that when ePHI is encrypted as a result of a ransomware attack, a breach has occurred because the ePHI was acquired (unauthorized individuals took possession or control of the information) and disclosed in a manner not permitted by the HIPAA Privacy Rule. OCR acknowledges, however, that whether ePHI is compromised due to a ransomware attack is a fact-specific inquiry. Therefore, while a ransomware attack will typically result in a breach under HIPAA, a risk assessment should be performed promptly.

Unless a covered entity or business associate can demonstrate that there is a “low probability that PHI has been compromised” based on a risk assessment of four factors set forth in the HIPAA Breach Notification Rule, a breach is presumed under HIPAA. According to the OCR Ransomware Guidance, a risk assessment involving a ransomware incident should also consider whether there is a high risk of unavailability of data or a high risk to the integrity of the data as a result of the attack.  Where a covered entity or business associate has a strong data backup program that ensures the organization can recover its data, the organization may be able to demonstrate that it has mitigated any potential harm to individuals.  OCR expects the risk assessment to be “thorough, completed in good faith and reach conclusions that are reasonable under the circumstances.”

The OCR Ransomware Guidance also highlights the importance of training workforce members to identify and avoid potential ransomware attacks. Organizations are reminded to have backup data systems along with business continuity plans that are routinely tested. OCR urges implementation of security measures in compliance with the HIPAA Security Rule to help prevent ransomware and other cyber attacks.

The Guidance follows a letter that the Secretary of HHS sent to chief executive officers of healthcare companies highlighting the importance of security in the face of such threats. The Secretary included with her letter a U.S. Government interagency technical guidance document informing chief information officers and chief information security officers at critical infrastructure entities of existing best practices to prevent and respond to ransomware attacks.

As a result of this new guidance, covered entities and business entities should:

• Review the OCR Ransomware Guidance, along with the Secretary’s letter and accompanying technical guidance document;
• Conduct a risk analysis to identify threats and vulnerabilities;
• Establish a plan to mitigate against identified threats and vulnerabilities;
• Implement policies and procedures to safeguard against malware;
• Train workforce members on how to identify and report cyber threats;
• Limit ePHI access only to those who require it to perform their jobs; and
• Maintain backup data systems and business continuity plans (and routinely test both).