On July 11, 2016, the Office of Civil Rights (“OCR”) at the Department of Health and Human Services issued new HIPAA guidance regarding the growing epidemic of malicious computer software known as “ransomware”.
Perhaps the most significant conclusion in the guidance is that, “when electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a disclosure not permitted under the HIPAA Privacy Rule.” (emphasis added)
A Rebuttable Presumption That a Breach Has Occurred
A breach of PHI is presumed to have occurred, “unless the covered entity or business associate can demonstrate that there is a ‘…low probability that the PHI has been compromised’, based on the factors set forth in the Breach Notification Rule.” Section 7 of the guidance provides an explanation of the risk assessment that covered entities and business associates would need to undertake to demonstrate that there is a “low probability that the PHI has been compromised”.
And if a Breach Has Occurred…
If a breach has occurred, then the entity must comply with the applicable breach notification provisions, including notification to (1) affected individuals without unreasonable delay, (2) the Secretary of HHS, and (3) the media (for breaches affecting over 500 individuals), per HIPAA breach notification requirements set forth in 45 C.F.R. §164.400-414.
Ransomware Attacks Are Skyrocketing
The health care industry is not alone in its concern about the evolving scourge of ransomware. A recent U.S. Government interagency report, “How to Protect Your Networks Against Ransomware”, indicates that, on average, there have been 4,000 daily ransomware attacks since early 2016 (a 300% increase since 2015).
Indeed, earlier this year, the FBI posted an article concerning the rise of ransomware attacks. The FBI observed that,”ransomware attacks are not only proliferating, they’re becoming more sophisticated.” According an FBI official quoted in the article, “these criminals have evolved over time and now bypass the need for an individual to click on a link. They do this by seeding legitimate websites with malicious code, taking advantage of unpatched software on end-user computers.”
Preparing For the Worst
The FBI notes that it “does not support paying a ransom in response to a ransomware attack.” Instead, it recommends that organizations should focus on two main areas:
- Prevention efforts—both in both in terms of awareness training for employees and robust technical prevention controls; and
- The creation of a solid business continuity plan in the event of a ransomware attack.
On its blog site, the OCR noted that “the new guidance reinforces activities required by HIPAA that can help organizations prevent, detect, contain, and respond to threats, including:
- Conducting a risk analysis to identify threats and vulnerabilities to electronic protected health information (ePHI) and establishing a plan to mitigate or remediate those identified risks;
- Implementing procedures to safeguard against malicious software;
- Training authorized users on detecting malicious software and report such detections;
- Limiting access to ePHI to only those persons or software programs requiring access; and
- Maintaining an overall contingency plan that includes disaster recovery, emergency operations, frequent data backups, and test restorations.
Stay tuned for further developments.