New HIPAA Guidelines on Ransomware Disclosures
The Department of Health & Human Services for Civil Rights (OCR) has issued guidance on how to manage the increasing frequency of ransomware attacks toward healthcare providers. Ransomware is a malware which encrypts data until a ransom is paid to the hacker, who in return, will hopefully issue the encryption key to unlock the data on your machines. It is a very real threat for any provider who has electronic health record systems. However, these guidelines are somewhat vague on what is or isn’t considered a data breach. It is why we decided to provide some clarity on the latest release.
Background: A recent U.S. government interagency report has indicated that there have been, on average, over 4,000 daily ransomware attacks since the New Year. A 300% increase over the 1,000 daily attacked reported the year before. It is why California Representative Ted Lieu submitted a bill that would require medical organizations to treat ransomware as data breaches, forcing those affected to be issued breach notifications from providers.
Defining A Breach: The document is very clear that any ransomware attack on a covered organization that successfully encrypts health data should be treated as a breach. However, the mere presence of ransomware does not necessarily mean Electronic Protected Health Information (ePHI) was compromised. This determination is left to the HIPAA Privacy Rules which define a breach as the acquisition, access, use, or disclosure of Protected Health Information (PHI) in a manner not permitted, that compromises the security or privacy of PHI.
Basically, this means if ePHI becomes encrypted as a result of a ransomware attack, a breach has occurred because ePHI was compromised the moment an unauthorized person took possession or control of your data. In this scenario, you need to comply with the notification provisions, including notification to those affected, the Secretary of HHS, and the media (for those affecting over 500 individuals) without reasonable delay.
However, if you can demonstrate that there was a low probability the PHI was compromised based on the Breach Notification Rule, no notices need to take place. This determination is done through a risk assessment that takes into account multiple factors; including the nature and extent of the PHI involved, types of identifiers and likelihood of re-identification, the unauthorized person who used the PHI or whom it was disclosed to, and whether the PHI was actually acquired or viewed, as well as the extent to which the risk to the PHI has been counteracted.
Even PHI that is encrypted before an attack occurred can still be interpreted as a breach, unless the assessment determines that the encryption solution has rendered the PHI unreadable, unusable, and indecipherable to unauthorized persons.
Takeaway: The most important takeaways from the document are to ensure prevention and safeguard of your data from ransomware attacks before they ever occur. All HIPAA covered organizations are required to develop and implement proper procedures to respond to malware and other security risks. This means incorporating processes to isolate infected machines and the prevention of an attack from spreading throughout your network. Frequent data backups and testing to ensure you have the ability to quickly recover from an attack is also paramount. For more information from one of our HIPAA experts, including risk assessment, maintenance, reporting, and compliance regulations, contact us today!