The Office of Civil Rights (“OCR”) has issued new guidance in connection with an increase of malicious cyberattacks, namely ransomware attacks on healthcare organization’s computer systems. Ransomware is a defined by HHS as a type of malicious software whose defining characteristic is that it attempts to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker until the requested ransom is paid.According to the U.S. Department of Health and Human Services (“HHS”), a recent U.S. government interagency report indicates that, on average, there have been 4,000 daily ransomware attacks since early 2016, which is a 300% increase over the 1,000 daily ransomware attacks reported in 2015.
It is important for health care entities to understand that the presence of ransomware on its computer system is considered a security incident under the HIPAA Security Rules and an organization response to a ransomware attach should follow the organization’s security incident response plan. However, even though the presence of ransomware on your computer system is considered a security incident, whether or not the presence of ransomware is a reportable breach depends on the facts of the situation. When ePHI is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired, and thus a “disclosure” not permitted under the HIPAA Privacy Rule.
Unless an covered entity or business associate can demonstrate that there is a ‘low probability’ that the PHI has been compromised, based on the 4 factors set forth below, then a breach of PHI is presumed to have occurred. If an healthcare entity is victim of a ransomware attack, the entity should consider the following to help determine whether there is a ‘low probability’ that the PHI has been compromised:
1. the nature and extent of the PHI involved, including the types of identifies and the likelihood of re-identification;
2. the unauthorized person who used the PHI or to whom the disclosure as made;
3. whether the PHI was actually acquired or viewed; and
4. the extent to which the risk to the PHI has been mitigated.
In conducting required risk assessments to determine whether there is low probability that the PHI has been compromised, it is important that each individual organization maintain supporting documentation of its findings including (i) documentation of the risk assessment demonstrating the conclusions reached, (ii) documentation of any exceptions determined to be applicable to the impermissible use or disclosure (See highlighted portion of attachment entitled “Breach Exception” for more details), and (iii) documentation demonstrating that all notifications were made, if a determination is made that the impermissible use or disclosure as a reportable breach.
If the ePHI encrypted by the ransomware was already encrypted to comply with HIPAA such that it is no longer “unsecured PHI” then the healthcare organization would not be required to conduct a risk assessment to determine if there is a low probability of compromise, and breach notification would not be required. However, if, for example, a computer was powered on and a physician clicked on a phishing email that infected the system with ransomware, it would be necessary to dig deeper to confirm whether the ePHI was actually “unreadable, unusable and indecipherable to unauthorized persons” if data was in fact pulled from the covered entity’s or business associate’s computer system.
With the influx of ransomware attacks occurring, it is important that covered entities and business associates ensure that security measures are in place to help prevent the introduction of malware are in place and up to date along with having policies and procedures in place enabling the covered entity or business associate to quickly respond if a ransomware attack is successful.
Read more here.