OCR Issues HIPAA Guidance on Ransomware Threat to Health Care Industry

U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) has published a HIPAA Fact Sheet, outlining the multi-faceted threat which ransomware poses to the health care sector and providing insights into how this threat may affect HIPAA compliance.  In this publication, OCR states that a ransomware attack, even on encrypted devices, may result in a reportable breach of electronic Protected Health Information (“ePHI”).  In light of this, covered entities and business associates should consider revisions to their risk assessment plans specifically directed at countering ransomware attacks.

Ransomware is an increasingly rampant type of malware that encrypts data with a complex “key” known only to the hacker, making data and possibly entire information systems such EHRs or scheduling programs, inaccessible to authorized users. Once ransomware has taken hold, hackers demand a payment before providing the key required to decrypt the affected files.  Ransomware frequently infects devices and systems when unsuspecting users click on malicious website links or open infected emails attachments.

OCR’s guidance states that ransomware infections of a computer system are a “security incident” under HIPAA. As a result, once ransomware is detected, the covered entity or business associate must initiate its HIPAA-mandated security incident and response and reporting procedures.  In addition, they should also assess whether or not a “breach” has occurred.  As defined by HIPAA regulations, a breach occurs with “the acquisition, access, use, or disclosure of PHI in a manner not permitted under the [rules governing PHI] which compromises the security or privacy of the PHI.” Whether ransomware infections meet this definition is a fact-sensitive question.

According to OCR’s recent guidance, ransomware represents an unauthorized user’s attempt to encrypt the data, which amounts to an “acquisition,” and therefore impermissible disclosure, under HIPAA. At this point, a risk assessment is required to determine whether there is a “low probability” that a breach has occurred, taking into account the following factors:  (1) the nature and extent of ePHI involved; (2) the unauthorized person who used ePHI or to whom the disclosure was made; (3) whether the ePHI was actually acquired or viewed; and (4) the extent to which the risk to ePHI has been mitigated.  If a “low probability” of compromise cannot be demonstrated, then a breach has occurred and HIPAA’s Breach Notification Rule is triggered.

If encrypted data is involved, the question of whether or not a breach has occurred becomes more complicated and depends, in part, of the technical aspects of the particular encryption used. Because the Breach Notification Rule only applies to  “unsecured PHI,” meaning PHI “that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary,”  properly encrypted PHI, even if stolen, usually does not constitute a “breach.”  However, additional analysis is still required to ensure that the encryption solution, as implemented, is effective.  For example, a full disk encryption solution may render the data on a computer system’s hard drive unreadable, unusable and indecipherable to unauthorized persons while the computer system is powered down. However, once the system is operational, many full disk encryption solutions will transparently decrypt and encrypt files accessed by the user.  Thus, an authenticated user who accidentally infects the system with ransomware may cause breach of ePHI.  Thus, despite having encryption protection in place, sophisticated ransomware can result in a breach of ePHI which is reportable under HIPAA

HIPAA already requires covered entities and business associates to implement security measures to prepare for, respond to, and recover from ransomware and other malware attacks. Some of these required security measures include: implementing a security management process, which includes conducting a risk analysis to identify threats and vulnerabilities to ePHI and implementing security measures to mitigate or remediate those identified risks; implementing procedures to guard against and detect malicious software; training users on malicious software protection so they can assist in detecting malicious software and know how to report such detections; and implementing access controls to limit access to ePHI to only those persons or software programs requiring access.

With respect to recovery from a ransomware infection, covered entities should maintain offline backups of data and conduct periodic test restorations to verify the integrity of backed-up data. HIPAA requires covered entities to have a data backup plan as well as security incident procedures.

An interagency U.S. Government report reveals that there have been 4,000 daily ransomware attacks since early 2016, a remarkable 300% increase from this period last year. With health information systems containing vital information for daily operation as well as highly personal information of their patients, the health care sector has been a growing target of ransomware.  The OCR’s new guidance recognizes this threat, and clarifies the implications that it carries for covered entities and business associates.