HHS Office for Civil Rights releases ransomware guidance

There has been a lot of articles written lately about the threat of ransomware to healthcare organizations. Hollywood Presbyterian Medical Center paid a $17,000 ransom to regain access to their systems after they were infected with ransomware.  Several other hospitals have been ransomware victims and countless other medical practices have fallen victim as well.

There was a lot of discussion about whether ransomware is a reportable breach under the HIPAA Security Rule. We argued that the latest variations of ransomware would constitute a reportable breach because it was not only encrypting the data but the malware was stealing data as well.

Now the HHS Office of Civil Rights (OCR) has issued guidance on the ransomware menace (PDF) to HIPAA covered entities and business associates.

A recent U.S. Government interagency report indicates that, on average, there have been 4,000 daily ransomware attacks since early 2016 (a 300% increase over the 1,000 daily ransomware attacks reported in 2015).

Ransomware exploits human and technical weaknesses to gain access to an organization’s technical infrastructure in order to deny the organization access to its own data by encrypting that data. However, there are measures known to be effective to prevent the introduction of ransomware and to recover from a ransomware attack. This document describes ransomware attack prevention and recovery from a healthcare sector perspective, including the role the Health Insurance Portability and Accountability Act (HIPAA) has in assisting HIPAA covered entities and business associates to prevent and recover from ransomware attacks, and how HIPAA breach notification processes should be managed in response to a ransomware attack.

OCR addressees the issue of whether a ransomware attack would be a HIPAA breach:

Is it a HIPAA breach if ransomware infects a covered entity’s or business associate’s computer system?

Whether or not the presence of ransomware would be a breach under the HIPAA Rules is a fact-specific determination. A breach under the HIPAA Rules is defined as, “…the acquisition, access, use, or disclosure of PHI in a manner not permitted under the [HIPAA Privacy Rule] which compromises the security or privacy of the PHI.” See 45 C.F.R. 164.402.6

When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a “disclosure” not permitted under the HIPAA Privacy Rule.

Unless the covered entity or business associate can demonstrate that there is a “…low probability that the PHI has been compromised,” based on the factors set forth in the Breach Notification Rule, a breach of PHI is presumed to have occurred. The entity must then comply with the applicable breach notification provisions, including notification to affected individuals without unreasonable delay, to the Secretary of HHS, and to the media (for breaches affecting over 500 individuals) in accordance with HIPAA breach notification requirements. See 45 C.F.R. 164.400-414.

OCR points out that not all ransomware would be a reportable breach. The organization has to go through a security incident response to determine exactly what happened.  This is the same procedure if an organization had a lost laptop. The incident response would try to determine what data was on the laptop, what methods of protection were on the laptop (i.e. password or encryption), etc. But in the case of ransomware, OCR is stating that forensic analysis needs to be performed to determine the strain of ransomware, the communication between the ransomware and the criminals’ servers, if any data was copied off of the organization’s servers, etc.

A thorough and accurate evaluation of the evidence acquired and analyzed as a result of security incident response activities could help entities with the risk assessment process above by revealing, for example: the exact type and variant of malware discovered; the algorithmic steps undertaken by the malware; communications, including exfiltration attempts between the malware and attackers’ command and control servers; and whether or not the malware propagated to other systems, potentially affecting additional sources of electronic PHI (ePHI). Correctly identifying the malware involved can assist an entity to determine what algorithmic steps the malware is programmed to perform. Understanding what a particular strain of malware is programmed to do can help determine how or if a particular malware variant may laterally propagate throughout an entity’s enterprise, what types of data the malware is searching for, whether or not the malware may attempt to exfiltrate data, or whether or not the malware deposits hidden malicious software or exploits vulnerabilities to provide future unauthorized access, among other factors.

OCR goes on to state that organizations need to look at the impact to the integrity of the data after the ransomware attack. As OCR points out, may times the ransomware will delete the original data and only leave the data in encrypted form. Would the dates of the data be changed from the original data? Can an organization prove that the data is exactly the same before, during and after the ransomware attack? They also point out that having data backups and disaster recovery plans could assist with ensuring the integrity of the data. 

Additionally, with respect to considering the extent to which the risk to PHI has been mitigated (the fourth factor) where ransomware has accessed PHI, the entity may wish to consider the impact of the ransomware on the integrity of the PHI. Frequently, ransomware, after encrypting the data it was seeking, deletes the original data and leaves only the data in encrypted form. An entity may be able to show mitigation of the impact of a ransomware attack affecting the integrity of PHI through the implementation of robust contingency plans including disaster recovery and data backup plans. Conducting frequent backups and ensuring the ability to recover data from backups is crucial to recovering from a ransomware attack and ensuring the integrity of PHI affected by ransomware. Test restorations should be periodically conducted to verify the integrity of backed up data and provide confidence in an organization’s data restoration capabilities. Integrity to PHI data is only one aspect when considering to what extent the risk to PHI has been mitigated. Additional aspects, including whether or not PHI has been exfiltrated, should also be considered when determining the extent to which the risk to PHI has been mitigated.


What OCR is making very clear is that ransomware is a real threat to healthcare organizations and their business associates. And that if an organization is a ransomware victim they need to do a LOT of work to either prove or disprove that the ransomware attack is a reportable or non-reportable breach under the HIPAA Security Rule. Unfortunately it is not easy to do this analysis if the proper network controls are not in place prior to the attack. Figuring out what data the ransomware accessed, the communication between the criminals’ servers and the integrity of the data takes a lot of evidence that needs to be collected before, during and after a ransomware attack. Without this evidence organizations will need to be very cautious.  This will lead to a lot of HIPAA reportable breaches due to ransomware attacks.
Watch a short video on the ransomware threat to organizations

Get more information on free HIPAA security training! >>>