Ransomware is the fastest growing malware threat in the United States, targeting simple home computers to elaborate corporate information technology networks. The Federal Bureau of Investigation (FBI) recently reported an increase in ransomware attacks—more than 4,000 ransomware attacks daily in 2016, which is a 300% increase over attacks in 2015. Recognizing the threat that ransomware poses to our country’s critical health care infrastructure, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently released new Health Insurance Portability and Accountability Act (HIPAA) Guidance on preventing and responding to ransomware attacks (Guidance).
The Guidance reinforces the need for policies and procedures to assist organizations in preventing, detecting, containing, and responding to ransomware threats. Further, the Guidance created a bright line test for ransomware breaches—highlighting the responsibility of HIPAA covered entities and their business associates to treat the presence of ransomware as a reportable breach, unless able to demonstrate there is a low probability that the protected health information (PHI) has been compromised. The Guidance addresses several key points.
The Guidance introduces OCR’s view that when unsecured PHI is attacked and encrypted as the result of ransomware, a breach of unsecured PHI is presumed because the unsecured PHI encrypted by the ransomware was in fact acquired (i.e., unauthorized individuals have taken possession or control of the information). Thus, OCR considers the attack a “disclosure” of PHI that is not permitted under the HIPAA Privacy Rule unless the covered entity or business associate can prove that there is a “…low probability that the PHI has been compromised.”
To determine whether there is a low probability that unsecured PHI has been compromised, a risk assessment must be performed considering at least the four factors published under the Breach Notification Rule. The Guidance encourages entities to consider two additional factors with respect to ransomware: (1) whether there is a high risk of unavailability of PHI; and (2) whether there is a high risk to the integrity of the PHI.
The Guidance also tackles the thorny question of whether there is a breach of unsecured PHI when the PHI that is affected by the ransomware was at the time of the attack encrypted in a manner consistent with the safe harbor under the HHS Guidance to Render Unsecured Protected Health Information Unusable, Unreadable or Indecipherable to Unauthorized Individuals. The short answer: this is a fact-specific determination.
The Guidance recommends that an entity infected with ransomware contact its local FBI or U.S. Secret Service field office. Entities may find that notifying law enforcement invokes the law enforcement exception to the Breach Notification Rule—allowing more time for investigation and notification, if needed.
On the subject of whether to pay the ransom, the Guidance refers to a recently released U.S. Government interagency technical report entitled “How to Protect Your Networks from Ransomware,” which encourages business not to pay the ransom, warning there are serious risks to consider:
- Paying a ransom does not guarantee an organization will regain access to its data; in fact, some victims were never provided with decryption keys after paying ransom;
- Some victims who paid the demand have reported being targeted again by cyber actors;
- After paying the originally demanded ransom, some victims have been asked to pay more to get the promised decryption key; and
- Paying ransom could inadvertently encourage this criminal business model to continue.
The Guidance also describes in detail the thorough analysis that an attacked entity or business associate should conduct when responding to a security incident. The initial analysis should:
- Determine the scope of the incident to identify what networks, systems, or applications are affected;
- Determine the origination of the incident (who/what/where/when);
- Determine whether the incident is finished, is ongoing, or has propagated additional incidents throughout the environment;
- Determine how the incident occurred (e.g., tools and attack methods used, vulnerabilities exploited);
- Contain the impact and propagation of the ransomware; and
- Eradicate the instances of ransomware.
Lastly, the Guidance reminds HIPAA covered entities that the Security Rule already requires the implementation of security measures and risk analysis that can help prevent the introduction of ransomware.