On July 11, 2016, the HHS Office of Civil Rights (OCR) released guidance on HIPAA covered entities’ responsibilities in a ransomware attack, a type of cyber-attack that has targeted the health care sector extensively in recent months. This guidance comes in the wake of a June 20, 2016 “Dear Colleague” letter from HHS Secretary Sylvia Burwell highlighting ransomware issues. The most notable of OCR’s statements is that ransomware attacks often constitute breaches subject to the HIPAA Breach Notification Rule.
Ransomware as Security Incident
OCR’s guidance states that the presence of ransomware on a covered entity’s or business associate’s computer systems represents a “security incident” under the HIPAA Security Rule, as defined in 45 C.F.R. § 164.304. HIPAA covered entities and business associates must develop and implement “reasonable and appropriate” response and reporting processes for security incidents such as ransomware attacks. OCR advises that an entity’s security incident response activities begin with an analysis to determine the scope and origination of the incident, as well as how it occurred and whether it is ongoing. Subsequent actions should include:
- Containing the impact and propagation of the ransomware;
- Eradicating the ransomware and mitigating the vulnerabilities that allowed it to take hold;
- Restoring lost data and returning to “business as usual”;
- Ascertaining regulatory, contractual, or other responsibilities resulting from the incident;
- Incorporating lessons learned into the entity’s security management; and
- Assessing whether there was a breach of PHI as a result of the security incident.
Ransomware as Breach
Under 45 C.F.R. § 164.402, a “breach” under the HIPAA rules is defined as “. . . the acquisition, access, use, or disclosure of [PHI] in a manner not permitted … which compromises the security or privacy of the protected health information.” OCR’s guidance states that when electronic PHI (ePHI) is encrypted as a result of a ransomware attack, a breach has happened because the encrypted ePHI “was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a ‘disclosure’ not permitted under the HIPAA Privacy Rule.”
If the covered entity or business associate is unable to show that there is a “. . . low probability that the PHI has been compromised” using the Breach Notification Rule factors, a breach is presumed to have taken place. Under 45 C.F.R. § 164.402(2), a risk assessment considering at least the following factors must be conducted to show a low probability of compromise:
- The nature and extent of the PHI involved, including types of identifiers and likelihood of re-identification
- The unauthorized person who used the PHI or to whom disclosure was made
- Whether the PHI was actually acquired or viewed; and
- The extent to which the risk to the PHI has been mitigated.
In its guidance, OCR also encourages entities to consider additional factors, such as whether there is a high risk of unavailability of the data or a high risk to the integrity of the data. The integrity of the data is an especially important consideration in the ransomware context when assessing whether a risk has been mitigated, because of the tendency of ransomware to delete the original data and leave only the data in encrypted form. Another mitigation consideration is whether the data has been “exfiltrated,” or transferred without authorization from the information system and, if so, can it be recovered?
If a breach is presumed to have taken place, then breach notification must be made, including notification to affected individuals, to HHS, and, for breaches affecting over 500 residents of a state or jurisdiction, to the media.
Lastly, OCR reminded entities that 45 C.F.R. § 164.530(j)(iv) requires covered entities and business associates must maintain supporting documentation sufficient to meet their burden of proof regarding the breach assessment. This includes documentation of conclusions reached, of exceptions determined to be applicable to the impermissible use or disclosure, and of notifications made in case of a determination that a reportable breach occurred.
Ransomware Attacks on Encrypted Data
OCR’s guidance notes that HIPAA’s breach notification provisions only apply to PHI not secured through the use of a technology or methodology specified by the Secretary in guidance, which includes encryption consistent with the Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals. Whether information is encrypted is determined as of the point in time at which the ransomware accessed the file.
In addition to these points, OCR’s guidance also noted that policies and procedures required by the HIPAA Security Rule can help entities prevent, respond to and recover from ransomware attacks. OCR also recommends that an entity infected with ransomware contact its local FBI or Secret Service field office; we recommend you work with your counsel before making any contact with law enforcement.