The Office of Civil Rights issued a Fact Sheet regarding Ransomware and HIPAA. During 2016, ransomware attacks have increased 300% and healthcare organizations are being targeted. This increase in threat activity increases the consequences of a weak security program.
An effective HIPAA compliance program can significantly both reduce the probability that a ransomware attack will occur and reduce the impact if one does occur. Safeguards including a rigorous patching program, malware protection capabilities for web browsing and from email, and security awareness training for staff will all reduce the liklihood of a successful attack. Secure network design including isolation of important ePHI, a security incident response capability, and robust data recovery capability can all reduce the impact if an attack does occur.
The OCR guidance stresses that the HIPAA standards constitute a floor, that is minimum requirements for security of ePHI. They highlight the benefit and importance of a comprehensive patching program that includes firmware updates of firewalls, routers, switches and other devices on the network. Patching is important because malware is spread by exploiting security weaknesses that are often corrected with security patches.
OCR further stresses the importance of a robust data recovery capability. When Eagle Consulting performs a risk analysis, just about every organization states that they have a regular backup. However, only a small percentage of organizations routinely perform robust recovery tests to validate that the backup can be used on a consistent basis. The increase in ransomware attacks increase the importance of the investment in recovery testing.
When a ransomware attack occurs, an effective security incident management capability is essential. This incident management capability includes the ability to:
- detect and conduct an initial analysis of the ransomware
- contain the impact and propagation of the ransomware
- eradicate the instances of ransomware and mitigate or remediate vulnerabilities that permitted the ransomware attack and propagation
- recover from the ransomware attack by restoring data lost
- conduct post-incident activities and correct underlying deficiencies that permitted the ransomware attack in the first place
One of the questions is whether a ransomware attack constitutes a breach which must be reported. The answer is nuanced and may be different in different situations. We start with the definition of a breach in the HIPAA rules. A breach is ” . . the acquisition, access, use or disclosure of PHI in a manner not permitted under the [HIPAA Privacy Rule] which compromises the security or privacy of the PHI.”
When ePHI is encrypted as the result of a ransomware attack, a breach has is assumed to have occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken posession or control of the information), and thus is a “disclosure” not permitted under the HIPAA Privacy rule. Per the Breach Notification Rule, a breach has occured unless the organization can demonstrate through a risk assessment that there is ” . . low probability that the PHI has been compromised.” This risk assessment must be in writing and conform to the requirements of the Breach Notification Rule.
The Breach Notification Rule requires that the risk analysis include, at a minimum, the following four factors:
- the nature and extent of the PHI involved, including the types of identifiers and the liklihood of re-identification;
- the unauthorized person who used the PHI or to whom the disclosure was made;
- whether the PHI was actually acquired or viewed; and
- the extent to which the risk to the PHI has been mitigated.
If the organization had encrypted the data at rest prior to the attack, then by definition the incident would not constitute a breach. If it was not encrypted, the organization may need to research the exact type and variant of malware involved and whether this strain of ransomware attempts to exfiltrate the data to its command and control servers. If it is determined than no exfiltration occured, then the organization could argue in the risk assessment that there was a low probability that the PHI had been compromised.
The complete guidance from OCR is available at OCR Fact Sheet: Ransomware and HIPAA.
