The Department of Health and Human Services (HHS) released guidance on July 11, 2016, intended to help the healthcare industry prepare for and respond to ransomware attacks. Specifically, this guidance clarifies: (1) that a ransomware attack is considered a “security incident” under HIPAA, and (2) that a ransomware attack will typically be considered a “breach” by HHS unless entities are able to demonstrate that there is a “low probability of compromise.” The guidance also clarifies that covered entities must implement the same risk assessment processes as they would with other types of cyber threats, including malware. At a time when ransomware attacks are on the rise, this guidance heightens the potential regulatory enforcement consequences of these events.
2016 Sees Huge Rise in Ransomware
Ransomware is a type of malware designed to restrict access to a user’s own system or data, primarily through encryption, until a ransom payment is made to return the access to the user. Ransomware cyberattacks are on the rise. A recent US interagency report described ransomware as the “fastest growing malware threat,” impacting individuals and organizations of all sizes. With an average of 4,000 ransomware attacks per day, the first half of 2016 saw a 300% increase in occurrences over 2015.
The inability to access sensitive or proprietary information can be catastrophic for an organization and can cause disruption of regular operations, remediation costs, permanent loss of data, and reputational harm. For healthcare organizations, the ability to access patient records can be a matter of life and death. Attackers, recognizing this threat, have targeted healthcare organizations—hospitals in particular—demanding payments in exchange for the encryption keys necessary for the organization to be able to decrypt and access their data.
Ransomware and HIPAA
With the rate of ransomware attacks affecting the health industry rapidly increasing, HHS released guidance on ransomware and HIPAA compliance earlier this month. Unlike other types of malware, ransomware is typically not intended to exfiltrate data. Despite the fact that, in most ransomware cases, sensitive patient information will not be taken by the attackers from the providers’ networks, HHS nonetheless clarified that covered entities and business associates must apply the requirements of HIPAA’s Security Rule, Privacy Rule, and Breach Notification Rule in responding to ransomware attacks.
For entities subject to HIPAA’s requirements, there are a number of important implications. First, the Security Management Process standard requires that covered entities conduct an accurate and thorough analysis of the risks to the security and availability of electronic PHI, and implement security measures to mitigate identified risks. A covered entity’s procedures must account for the unique type of threat that ransomware creates, including plans for maintaining frequent backups of data (both online and offline). Covered entities must also implement procedures for detecting and protecting against ransomware and other forms of malware. In the event of a ransomware attack, entities must use response and reporting procedures as they would for other malware attacks.
Second, the guidance clarified that the presence of ransomware is considered a “security incident” under HIPAA. If ransomware is detected, entities are required to respond by: (1) conducting an initial analysis, (2) containing the infection, (3) removing the infection and implementing a solution to the vulnerability that allowed the infection, (4) restoring lost data and returning to normal operations, and (5) conducting a post-incident analysis to determine whether the incident created any legal obligations. The initial analysis of the incident should seek to determine the scope, origin, scale, and vector of the ransomware attack. For example, ransomware once was an attack of opportunity, delivered when a user navigated to a malicious website using a vulnerable web browser or plug-in. Recent attack trends suggest that ransomware is increasingly being delivered through “weaponized” documents attached to phishing emails. Users unwittingly click on the attachment in an email that appears to be from someone they know, and then the ransomware hidden in that attached document activates to infect that user’s system. For some types of ransomware, the files may be recovered through the availability of public keys. For others, restoring from back-up, or paying the ransom and depending on the attacker to provide the necessary key, will be the only way to recover those files.
Though the guidance states that each ransomware incident requires a fact-specific determination, in clarifying HHS’ interpretation of a “breach” under HIPAA, it also states that because “unauthorized individuals have taken possession or control of the information,” HHS considered the data to have been acquired; and thus, in its view, a breach has occurred. The guidance outlines for entities how they should conduct a low probability of compromise risk analysis. In addition to the four risk factors included in the Breach Notification Rule, the guidance states that entities should consider “additional factors” to evaluate the risk that the PHI has been compromised, such as the unavailability of the data or a high risk to the integrity of the data. And, as with any security incident or breach, entities must maintain supporting documentation for their analysis.
Finally, the guidance makes clear that a ransomware attack affecting secured PHI (PHI encrypted in a manner consistent with HIPAA requirements and guidance), would not be considered a notifiable breach, because the breach notification provisions are only applicable to unsecured PHI.
HHS recently imposed significant penalties on organizations that failed to properly assess and address cybersecurity risk. HHS’s guidance on ransomware is another indication that regulators will continue to emphasize cybersecurity risk management in their enforcement actions. All entities within the health sector, and particularly those subject to HIPAA, should take steps to plan for incident response, before a ransomware or other cyberattack hits. These steps include:
- Implementing cybersecurity protection measures;
- Training users to minimize the risks associated with ransomware;
- Developing and periodically revising and testing your entity’s cybersecurity incident response plan as well as general disaster recovery and contingency plan; and
- Conducting a risk analysis and developing a risk management plan to identify and mitigate cybersecurity vulnerabilities, which could increase the risk of a ransomware attack.
Ryan Thompson, a summer associate in the Washington, D.C. office, contributed to this entry.