On July 11, 2016, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) published new guidance on the how HIPAA applies to ransomware prevention and attacks. Specifically, the guidance lays out OCR’s view of what HIPAA requires covered entities do to prepare for ransomware attacks, and makes clear that a ransomware attack on protected health information (PHI) could be a breach that would need to be reported under the HIPAA breach notification rule.
Ransomware is malicious software designed to gain access to a victim’s computer systems and then render the data on those systems inaccessible, usually by encrypting it. The user must then pay the hacker a ransom to get the key to unlock the data. Ransomware has become increasingly prevalent as an attack vector, and in recent months several hospitals have reported ransomware, including a hospital in Los Angeles that paid a $17,000 ransom after losing access to its electronic medical records system for over a week, shutting down certain departments and forcing the hospital to transfer some patients elsewhere.
According to the guidance, HIPAA regulations require a covered entity to have procedures in place to prevent, identify, and recover from infections of ransomware. For example, covered entities are required to perform a comprehensive risk analysis of the “potential risks and vulnerabilities to the confidentiality, integrity and availability of all of” the electronic PHI the entity possesses. Entities must put security measures in place that reduce those risks to a “reasonable and appropriate level,” whether or not HIPAA rules and regulations otherwise specifically require the particular measures. Specifically, the guidance indicates that covered entities must have in place a data backup plan that would allow for recovery in the case of a successful ransomware attack.
The guidance makes clear that a ransomware attack that successfully encrypts protected health information may be a breach that must be reported. HHS’s view is that PHI that is encrypted is “acquired [by the ransomware] (i.e., unauthorized individuals have taken possession or control of the information),” and this “is a ‘disclosure’ not permitted under the HIPAA Privacy Rule.” In fact, even the presence of ransomware on a system is a security incident that HHS believes must be presumed to be a breach “[u]nless the covered entity . . . can demonstrate that there is a ‘... low probability that the PHI has been compromised,’ based on the factors set forth in the Breach Notification Rule.”
An entity can make this determination by undertaking a good faith risk assessment that reasonably determines that there was such a low probability of compromise, based on the four factors laid out in HIPAA—(1) the nature and extent of PHI involved, (2) the unauthorized person who accessed the PHI, (3) whether the PHI was actually acquired or viewed, and (4) the extent to which the risk to the PHI has been mitigated. (See 45 C.F.R. § 164.402(2)) The entity must also retain the documentation supporting its assessment.
Notably, the guidance allows that a ransomware attack may not constitute a breach if the PHI to which the ransomware has access is already encrypted. This is a fact-specific determination, and the guidance specifically indicates that the conclusion depends on how and where the ransomware was able to access the system. For example, a laptop may contain information that is encrypted if lost or stolen and access to it is sought by an unauthorized user. On the other hand, if the same laptop is powered up and in use by an authorized user, the information may be unencrypted and available for access by the ransomware during the period of authorized use.
While this guidance on reporting ransomware breaches is new, the underlying reporting regulations date back to January 2013. To the extent that any entity has had an unreported ransomware attack since then, that entity should review and determine whether reporting is necessary in light of this new guidance.
