Sophisticated ransomware has emerged as a major global security threat. On May 12, 2017, there were over 75,000 ransomware attacks on 99 countries that impacted businesses, including several hospitals in the United Kingdom. In the wake of these attacks, health care providers in the United States are urged to understand ransomware and how it is addressed under HIPAA to prepare for security threats to their Protected Health Information.
How Does Ransomware Work? Ransomware is a type of malware that attempts to deny access to data, generally by encrypting data in a computer system. Hackers can infect a computer through several methods, including malicious website links and email attachments. The malware encrypts data and blocks users’ access to the system until they agree to pay a specified ransom. In the recent ransomware attack in UK hospitals, when employees attempted to access the encrypted files, they were prompted to pay $300 in “bitcoin”—a cryptocurrency—in order to access files.
How is Ransomware Viewed Under HIPAA? On July 11, 2016, the U.S. Department of Health and Human Services (“HHS”) issued guidance on ransomware stating that the HIPAA Security Rule requires implementation of security measures to prevent introduction of malware, including ransomware. Such measures include security management (risk analysis and implementation of security measures to mitigate or remediate identified risks), implementing procedures to guard against malware, training users on malware to assist in detecting malware, and implementing access controls to limit access to ePHI. The guidance also indicates that when ePHI is encrypted due to a ransomware attack, a breach has occurred requiring notification. Under HHS’ analysis, in a ransomware attack ePHI is “acquired” resulting in an unauthorized “disclosure” because an unauthorized individual takes possession or control of the information. A breach of PHI is presumed in a ransomware attack, unless the affected Covered Entity or Business Associate can show that there is low probability that PHI has been compromised via a risk assessment.
The HHS guidance raises questions regarding how to conduct an appropriate breach notification assessment in the event of a ransomware attack. Typically risk assessments will consider whether there is a low probability that PHI has been compromised by considering four factors: (1) the nature and extent of the PHI involved; (2) the unauthorized person who used the PHI or to whom the disclosure was made; (3) whether the PHI was actually acquired or viewed; and (4) the extent to which the risk to the PHI has been mitigated. The guidance, however, states that entities should also consider additional factors, including high risk of unavailability of data or high risk to the integrity of the data, suggesting that the traditional risk assessment framework may not be entirely suitable in the ransomware context. The guidance also suggests that merely the unavailability of data resulting in a delay of services could be grounds for considering PHI “compromised” under the risk assessment framework, triggering breach notification requirements.