mask

By Jessica Engler and Lyn Savoie

Ransomware is here to stay. According to a recent United States Government interagency report, on average, there have been approximately 4,000 daily ransomware attacks since early 2016, which is a 300 percent increase from the approximately 1,000 daily ransomware attacks reported in 2015.[1] A significant percentage of those affected by ransomware have been healthcare providers who are subject to the Health Insurance Portability and Accountability Act (“HIPAA”).

Ransomware is a form of malware that targets a user’s critical data and systems in order to extort payment for restoration of the data or system. After the user is locked out of their system, the perpetrator will demand a ransom payment in order to have the data restored. Else, the data will be deleted or permanently encrypted. After the user sends payment, the perpetrator will provide the victim an avenue to regain or access the data.

The healthcare industry is particular vulnerable to this cyber activity because ransomware can block access to electronic medical records, which can disrupt patient care.[2] In February, attackers held data belonging to the Hollywood Presbyterian Medical Center in Los Angeles for ransom using a piece of ransomware called “Locky.” The hospital remained offline for over a week until hospital officials caved to the demands and paid the equivalent of $17,000 in Bitcoin.[3] Other hospitals and healthcare providers have faced similar attacks.[4] According to new research by Solutionary, an Omaha-based security firm, healthcare organizations were 114 times more likely to be hit by ransomware infections than financial firms, and 21 times more likely than educational institutions.[5] This increase of attacks and threat to healthcare records caused lawmakers to push the U.S. Department of Health & Human Services (“HHS”) for guidance regarding ransomware cybersecurity attacks—particularly on the points of reporting attacks and whether such attacks are considered a violation of HIPAA.

On July 11, 2016, the Office for Civil Rights (“OCR”) issued new guidance on how to handle ransomware attacks under HIPAA. This new guidance discusses how the security requirements under HIPAA can help organizations prevent, detect, and recover from ransomware attacks. The OCR guidance expressly provides that the presence of ransomware on a computer system is a “security incident” under the HIPAA Security Rule and, therefore, an entity impacted by such ransomware must initiate security incident and response and reporting procedures.  Additionally, the OCR guidance addresses whether a ransomware infection is considered a “breach” under HIPAA.

Whether or not the presence of ransomware will constitute a breach is a case-by-case determination. The HIPAA Rules define a “breach” as “the acquisition, access, use, or disclosure of Protected Health Information (“PHI”) in a manner not permitted under the [HIPPA Privacy Rule] which comprises the security or privacy of the PHI.”[6] In cases where electronic PHI is encrypted as a result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was accessed and is consequently an impermissible disclosure under the HIPAA Privacy Rule. The entity must then comply with the applicable notification provisions under the HIPAA Breach Notification Rules, including notifying the affected individuals, the Secretary of HHS, and (if the breach affects more than 500 individuals) the media.[7]

Pursuant to the HIPAA Breach Notification Rule, a breach is presumed to have taken place unless the entity suffering the attack can show that there is a “low probability that the PHI has been compromised.”  To make such a determination, the entity must perform a risk assessment that considers, at a minimum, the following four factors:

  • The nature and extent of the PHI involved, including types of identifiers and likelihood of re-identification;
  • The unauthorized person who used the PHI or to whom disclosure was made;
  • Whether PHI was actually acquired or viewed; and
  • The extent to which the risk to the PHI has been mitigated.[8]

In its recent guidance document, OCR encourages entities to consider additional factors, such as the high risk of unavailability of the data or a high risk to data integrity.[9] This risk assessment must be thorough, completed in good faith, and reach conclusions that are reasonable given the circumstances. Further, the covered entity and business associates must maintain supporting documentation regarding the breach assessment—and, if applicable, notification—process, including documentation of: (1) the risk assessment demonstrating the conclusions reached; (2) any exceptions determined to be applicable to the impermissible use or disclosure of the PHI; and (3) all notifications that were made, if applicable.[10] Outside of this guidance, it is undetermined at this time what will satisfy the OCR that a particular ransomware attack qualifies as having a “low probability of harm.”

The full OCR guidance can be found on the HHS’s website, which also includes recommendations for protection of data in order to prevent a breach, as well as response and recovery from the ransomware attack.[11] It should be noted that this new guidance does not create new law. Rather, it is a clarification by OCR of federal law that has been in place since 2013, meaning that entities subject to HIPAA that have suffered a ransomware attack in the past three years may need to determine whether they need to report the incidents.

Data breaches are serious incidents. They can be even more serious and dangerous when patients’ medical records and medical care are at stake. It is recommended that healthcare entities, as well as their HIPAA business associates, consult with an attorney to ensure compliance with HIPAA before a breach happens, as well as immediately after a potential breach is discovered, to perform the proper due diligence and move in the right direction towards compliance and recovery.

_____________________________________________

[1] United States Government Interagency Guidance Document, How to Protect Your Networks from Ransomware, Justice.gov (available at https://www.justice.gov/criminal-ccips/file/872771/download).

[2] Kim Zetter, Why Hospitals are the Perfect Targets for Ransomware, Wired.com (13:31:00, Mar. 30, 2016) (available at https://www.wired.com/2016/03/ransomware-why-hospitals-are-the-perfect-targets/).

[3] Id.; Joseph Conn, Hospital Pays Hackers $17,000 to Unlock EHRs Frozen in ‘Ransomware’ Attack, Modern Healthcare (Crain Communications, Inc., Feb. 18, 2016) (available at http://www.modernhealthcare.com/article/20160217/NEWS/160219920).

[4] See, e.g., Bill Siwicki, Ransomware Attackers Collect Ransom from Kansas Hospital, Don’t Unlock All the Data, then Demand More Money, Healthcare IT News (HIMSS Media, 14:58:00, May 23, 2016) (available at http://www.healthcareitnews.com/news/kansas-hospital-hit-ransomware-pays-then-attackers-demand-second-ransom); Mike Miliard, Two More Hospitals Struck by Ransomware, in California and Indiana, Healthcare IT News (HIMSS Media, 10:55:00, Apr. 4, 2016) (available at http://www.healthcareitnews.com/news/two-more-hospitals-struck-ransomware-california-and-indiana); Joseph Conn, Patient Data Held for Ransom at Rural Illinois Hospital, Modern Healthcare (Crain Communications, Inc., Dec. 17, 2014) (available at http://www.modernhealthcare.com/article/20141217/NEWS/312179948).

[5] Meg Bryant, Healthcare Orgs at Much Higher Risk of Ransomware Attack Than Financial Institutions, Healthcare DIVE (Industry Dive, Jul. 28, 2016) (available at http://www.healthcaredive.com/news/healthcare-orgs-at-much-higher-risk-of-ransomware-attack-than-financial-ins/423395/); Maria Korolov, Health Care Organizations 114 Times More Likely to Be Ransomware Victims than Financial Firms, CSO (IDG, 5:00:00, Jul. 26, 2016) (available at http://www.csoonline.com/article/3099852/security/health-care-organizations-114-times-more-likely-to-be-ransomware-victims-than-financial-firms.html).

[6] U.S. Department of Health & Human Services Office for Civil Rights, Fact Sheet: Ransomware and HIPAA, HHS.gov (July 11, 2016) (available at http://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf).

[7] See 45 C.F.R. 164.400–414.

[8] 45 C.F.R. 164.402(2).

[9] Data integrity is an important consideration in the ransomware context, as many ransomware programs delete the original data and leave only the data in the encrypted form. Eric Schulwolf, HHS OCR Guidance on Ransomware Attacks: They Constitute a “Security Incident” and are Likely a Data Breach, JD Supra Business Advisor (JD Supra, LLC, Jul. 25, 2016) (available at http://www.jdsupra.com/legalnews/hhs-ocr-guidance-on-ransomware-attacks-11173/).

[10] 45 C.F.R. 164.530(j)(iv), 164.414, 164.402(1).

[11] See U.S. Department of Health & Human Services Office for Civil Rights, Fact Sheet: Ransomware and HIPAA, HHS.gov (July 11, 2016) (available at http://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf).