Fact Sheet: Ransomware and HIPAA (July 11, 2016)
HHS has issued guidance on the role HIPAA has in helping covered entities and business associates prevent and recover from ransomware attacks. Ransomware is malware (malicious software) that encrypts data and makes it inaccessible to the targeted organization until a ransom is paid. It can infect devices and systems through spam, phishing messages, websites, and email attachments when a user clicks on the malicious link or opens the attachment. The guidance includes a list of HIPAA-required security measures that can help organizations prevent, detect, and respond to ransomware threats. These include conducting a risk analysis to identify threats and vulnerabilities to electronic protected health information (ePHI), implementing procedures to safeguard against malware, training authorized users on detecting and reporting malware, limiting access to ePHI to persons or programs requiring access, and maintaining an overall contingency plan that includes disaster recovery, emergency operations, data backups, and test restorations.
HHS explains that the presence of ransomware (or other malware) on an organization’s computer systems is a security incident under the HIPAA security rule and should trigger security incident response and reporting activities, as further described in the guidance. Furthermore, a ransomware attack usually results in a breach under the HIPAA breach notification rule, requiring notification of individuals whose information is involved in the breach as well as HHS and, in some cases, the media. However, breach notification would not be required if the organization can demonstrate—by conducting HIPAA’s four-factor risk assessment plus other considerations set forth in the guidance—that there is a low probability that protected health information (PHI) has been compromised. And if the organization has encrypted the ePHI in a manner consistent with HHS guidance, then the breach notification provisions will not apply (i.e., the organization need not determine whether there is a low probability of compromise, and breach notification is not required). But the guidance cautions that additional analysis may be necessary to determine whether the file with the ePHI was decrypted when accessed by the ransomware; if this is the case, the breach notification rule will apply. For example, as further explained in the guidance, if full disk encryption is the only encryption solution in place, ransomware may be able to access the file containing ePHI.
EBIA Comment: An HHS blog post reports that ransomware attacks are on the rise and are considered one of the biggest threats to health information privacy. This guidance will help covered entities and business associates understand their HIPAA obligations in the event of a ransomware attack, and ensure that they are taking appropriate steps to safeguard their data from the threat. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XXV.B (“Breach Notification for Unsecured PHI: What Constitutes a Breach?”) and XXX.B (“Core Security Requirements: Administrative Safeguards”). You may also be interested in our upcoming webinars “HIPAA Basic Training: Get Your Privacy and Security Compliance on Track for 2016” and “HIPAA Privacy & Security Enforcement: Phase II Audit Program and Recent Settlements” (both live on 11/16/16).
Contributing Editors: EBIA Staff.