Skip to Main Content
Services Talent Knowledge
Site Search
Menu

Blog Post

June 5, 2017

Ransomware: What Is It and How Is It Treated Under HIPAA?

Sophisticated ransomware has emerged as a major global security threat. On May 12, 2017, there were over 75,000 ransomware attacks on 99 countries that impacted businesses, including several hospitals in the United Kingdom. In the wake of these attacks, health care providers in the United States are urged to understand ransomware and how it is addressed under HIPAA to prepare for security threats to their Protected Health Information.

How Does Ransomware Work? Ransomware is a type of malware that attempts to deny access to data, generally by encrypting data in a computer system. Hackers can infect a computer through several methods, including malicious website links and email attachments. The malware encrypts data and blocks users’ access to the system until they agree to pay a specified ransom. In the recent ransomware attack in UK hospitals, when employees attempted to access the encrypted files, they were prompted to pay $300 in “bitcoin”—a cryptocurrency—in order to access files.

How is Ransomware Viewed Under HIPAA? On July 11, 2016, the U.S. Department of Health and Human Services (“HHS”) issued guidance on ransomware stating that the HIPAA Security Rule requires implementation of security measures to prevent introduction of malware, including ransomware. Such measures include security management (risk analysis and implementation of security measures to mitigate or remediate identified risks), implementing procedures to guard against malware, training users on malware to assist in detecting malware, and implementing access controls to limit access to ePHI. The guidance also indicates that when ePHI is encrypted due to a ransomware attack, a breach has occurred requiring notification. Under HHS’ analysis, in a ransomware attack ePHI is “acquired” resulting in an unauthorized “disclosure” because an unauthorized individual takes possession or control of the information. A breach of PHI is presumed in a ransomware attack, unless the affected Covered Entity or Business Associate can show that there is low probability that PHI has been compromised via a risk assessment.

The HHS guidance raises questions regarding how to conduct an appropriate breach notification assessment in the event of a ransomware attack. Typically risk assessments will consider whether there is a low probability that PHI has been compromised by considering four factors: (1) the nature and extent of the PHI involved; (2) the unauthorized person who used the PHI or to whom the disclosure was made; (3) whether the PHI was actually acquired or viewed; and (4) the extent to which the risk to the PHI has been mitigated. The guidance, however, states that entities should also consider additional factors, including high risk of unavailability of data or high risk to the integrity of the data, suggesting that the traditional risk assessment framework may not be entirely suitable in the ransomware context. The guidance also suggests that merely the unavailability of data resulting in a delay of services could be grounds for considering PHI “compromised” under the risk assessment framework, triggering breach notification requirements.

Featured Media

Alerts

RAPID Action: NYS Office of Energy Renewable Energy Siting and Transmission Announces Draft Regulations for New Transmission Siting Framework

Alerts

NYSDEC Issues Draft Freshwater Wetlands General Permit

Alerts

USPTO Updates Audit Program

Alerts

NYS DOL Publishes Long-Awaited FAQs on Paid Prenatal Leave Law

Alerts

Update on Massachusetts Pay Transparency Law Disclosures and EEO Reporting Requirements in 2025

Alerts

Massachusetts Employers Required to Provide Job Applicants Notice That Use of a Lie Detector Test Is Unlawful

This site uses cookies to give you the best experience possible on our site and in some cases direct advertisements to you based upon your use of our site.

By clicking [I agree], you are agreeing to our use of cookies. For information on what cookies we use and how to manage our use of cookies, please visit our Privacy Statement.

I AgreeOpt-Out