Ransomware May Be a Reportable HIPAA Breach

Bryan Cave Leighton Paisner

In 2016, more than 4000 ransomware or other malware attacks are occurring daily, a 300% increase since 2015. There have been reports of six hospitals that have been victims of ransomware in 2016. Ransomware is a type of malicious software used by cyber actors to deny access to an entity’s systems and/or data. Ransomware may spread to shared storage drives and other systems. The systems and data are held hostage until a ransom is paid.

Ransomware is more disruptive and debilitating than other criminal cyber threats because it can:

Disrupt the ability to provide health services and daily operations

Inflict significant financial losses

Damage electronic protected health information (EPHI) and other sensitive data beyond recovery

Expose EPHI to a breach

Harm the reputation of the company 


Cyber attackers enter the organization’s system by tricking a user to disclose a password or to click on a virus-laden email attachment. They also are seeding legitimate websites with malicious codes, taking advantage of unpatched software on an organization’s computers.

The presence of ransomware on a computer of a covered entity or business associate is a security incident under the HIPAA Security Rule, and appropriate measures must be taken to respond. A risk assessment must be performed to determine whether there was a reportable breach of EPHI as a result of the ransomware attack. If EPHI is encrypted as a result of the ransomware attack, the Office for Civil Rights (OCR) considers this to be a breach because the attackers have taken control of the EPHI. If the EPHI was encrypted by the covered entity/business associate in a manner consistent with the Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals1, then most likely a breach did not occur unless there was a failure of the encryption solution based on a factual analysis of the event.

A new fact sheet, “Ransomware and HIPAA2” released by the OCR emphasizes that covered entities/business associates are required to implement appropriate security measures to reduce the risks to EPHI by the introduction of malware, including ransomware. As part of the required HIPAA Security Rule Risk Assessment, covered entities/business associates must identify the potential risks to their EPHI and what measures will be implemented to address the vulnerabilities. As an example, although there is not a HIPAA regulation that specifically requires covered entities/business associates to update the firmware of network devices, entities should identify and address the risks to EPHI of using network devices running on obsolete firmware, especially when firmware updates are available to remediate known security vulnerabilities.

Because prevention and early detection are the best defenses against ransomware, as part of the required security awareness training, include information specifically focused on ransomware such as:

 Never click unsolicited links or open unsolicited attachments

Require immediate reporting of suspicion 24/7 to designated person

Indicators of ransomware: link clicked on/attachment opened that appears malicious; increased activity in computer central processing unit; inability to access files

1. Available at http://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html.

2. Available at www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Bryan Cave Leighton Paisner | Attorney Advertising

Written by:

Bryan Cave Leighton Paisner

Bryan Cave Leighton Paisner on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.