OCR Releases Guidance on Ransomware & HIPAA
On July 11, 2016, the U.S. Department of Health and Human Services, Office for Civil Rights (“OCR”) issued guidance (the “Guidance”) for health care entities relating to ransomware and the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The Guidance does not introduce new mandates for covered entities and business associates, but it does emphasize how rigorous adherence to the HIPAA Security Rule can help prevent and mitigate the effects of ransomware attacks.
As noted in the Guidance, ransomware “is a type of malicious software cyber actors use to deny access to systems or data. The malicious cyber actor holds systems or data hostage until the ransom is paid.” The Guidance notes that more than 4,000 ransomware attacks have occurred daily since January 1, 2016, a 300 percent increase in the number of attacks per day in 2015.
The Guidance was released following several high-profile ransomware attacks involving hospitals in 2016. On June 20, 2016, HHS Secretary Sylvia M. Burwell sent letters to chief executive officers of health care organizations discussing the threat of ransomware generally and enclosing information on ransomware prepared by the federal government. The information stated that the top five ransomware variants targeting U.S. companies and individuals are CryptoWall, CTB-Locker, TeslaCrypt, MSIL/SAMAS and Locky.
The Guidance is in the form of a Fact Sheet. The OCR provides answers to significant questions about HIPAA and ransomware, including:
- Can HIPAA compliance help covered entities and business associates prevent infections of malware, including ransomware?
- Can HIPAA compliance help covered entities and business associates recover from infections of malware, including ransomware?
- How can covered entities or business associates detect if their computer systems are infected with ransomware?
- What should covered entities or business associates do if their computer systems are infected with ransomware?
- Is it a HIPAA breach if ransomware infects a covered entity’s or business associate’s computer system?
- How can covered entities or business associates demonstrate “…that there is a low probability that the [protected health information (“PHI”)] has been compromised” such that breach notification would not be required?
- Is it a reportable breach if the [electronic PHI] encrypted by the ransomware was already encrypted to comply with HIPAA?
The Guidance states that adherence to the Security Rule mandates will assist health care entities in preventing and recovering from malware and ransomware infections. For instance, the Security Rule requires covered entities and business associates to implement a security management process including a risk analysis to identify threats and vulnerabilities to electronic PHI and requires implementation of procedures to guard against and detect malware. With respect to recovery from a ransomware attack, the Security Rule mandates the creation of a contingency plan, which may need to be activated in the event of a ransomware attack.
Deciding whether a ransomware attack constitutes a HIPAA breach has generated significant debate within the health care industry. According to the OCR, “When [electronic PHI] is encrypted as the result of a ransomware attack, a breach has occurred because the [electronic PHI] encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a ‘disclosure’ not permitted under the HIPAA Privacy Rule.” In evaluating whether there is a “low probability” that the PHI has been compromised as part of a risk assessment, OCR suggests that covered entities and business associates consider the type and variant of malware; “the algorithmic steps undertaken by the malware; communications, including exfiltration attempts between the malware and attackers’ command and control servers;” and whether the malware may have affected other systems or other electronic PHI.
The Guidance is available here.
Security Rule compliance is critical as more health care information is stored electronically in a host of media types. Malware continues to become more sophisticated and its effects more devastating. If covered entities or business associates have not recently reviewed or audited their Security Rule compliance or conducted a risk assessment, now is the time to do so.
Saul Ewing attorneys regularly counsel covered entities and business associates with HIPAA Privacy Rule, Security Rule and Breach Notification Rule compliance. Firm attorneys can assist health care entities with HIPAA compliance audits, Security Rule risk assessments and workforce HIPAA training. For more information on these matters, please contact the authors or the attorney at the firm with whom you are regularly in contact.