With the dramatic rise in ransomware, there has been much speculation on whether ransomware attacks constitute a reportable breach under HIPAA. The Department of Health and Human Services (HHS) issued guidance to provide clarity on this controversy once and for all. Short answer: yes, it does.
HIPAA defines a breach as “the acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA Privacy Rule which compromise the security or privacy or the PHI.”
Whether ransomware constitutes a breach under HIPAA is a fact-specific determination. HHS’s guidance states that when a healthcare organization is hit with a ransomware attack and electronic protected health information is encrypted as a result, a breach has occurred.
During a typical ransomware attack on a healthcare organization, ePHI is encrypted when attackers take control of the information. Thus, the ePHI was acquired and results in a disclosure not permitted by the Privacy Rule.
Unless the attacked organization can show a low probability of PHI being compromised, a breach of the information is presumed. This requires organizations to comply with the breach notification rules in HITECH – i.e. notification to affected individuals, HHS, etc.
How can an organization show a low probability that PHI was compromised as a result of a ransomware attack? HIPAA relies on a risk assessment of the breach taking into consideration the following four factors:
- The nature and extent of the PHI involved
- The unauthorized person who used the PHI or to whom the disclosure was made
- Whether the PHI was actually acquired or viewed
- The extent to which the risk to PHI has been mitigated
As far as ransomware goes, victim organizations should note the following in their risk assessment:
- The exact type and variant of malware discovered
- The algorithmic steps undertaken by the malware
- Communications between the malware and the attackers’ command servers
- Whether or not the malware infected other systems
Identifying these factors should help an organization determine what type of data the malware was searching for, whether or not the data was taken from the organization’s systems, and whether the information was actually acquired or viewed.
The important thing to note from this HHS guidance is that for healthcare organizations, a ransomware attack could result in a reportable breach. Many security experts and breach lawyers viewed ransomware attacks in a different light, and not many organizations were reporting these attacks to the HHS.
With the new guidance, we expect to see more breaches reported to the HHS at the end of the year, as well as more breaches hitting the HHS’s Wall of Shame.
With an uptick in the number of reported breaches, it’s also expected that OCR will get more involved with investigations into ransomware attacks. It’ll be interesting to see if any new HIPAA enforcement actions will arise from organizations hit with ransomware.
If your organization suffers a ransomware attack, it’s crucial to get a breach coach involved right away to help navigate the different reporting requirements.