Preventing and Responding to ePHI Ransomware Breaches

The ransomware threat to Health Insurance Portability and Accountability Act (HIPAA) covered entities is real and growing. According to a recent U.S. government interagency report, since early 2016 there have been an average of 4,000 daily ransomware attacks—a 300% increase over 2015, which had 1,000 daily ransomware attacks reported. Many of these attacks are aimed at electronic protected health information (ePHI), which means HIPAA covered entities are usually involved.

What Is Ransomware?

Ransomware is malware that is usually disguised as a legitimate file. The payload, once released, adversely affects the victim’s computer and demands a ransom payment to fix the system. Advanced ransomware often encrypts the victim’s files and then calls for payment in order to decrypt the files. As mentioned earlier, ransomware, particularly attacks aimed at ePHI, are becoming increasingly common.

In recognition of this increased threat to HIPAA covered entities, the U.S. Department of Health and Human Services (HHS) released guidance on how to prevent and recover from ransomware breaches. The HHS offers these tips to prevent ransomware attacks:

  • Conduct a risk analysis to identify threats and vulnerabilities to ePHI and establish a plan to mitigate or remediate identified risks
  • Implement procedures to safeguard against malicious software
  • Train authorized users to detect malicious software and report such detections
  • Limit access to ePHI to only those persons or software programs requiring access
  • Maintain an overall contingency plan that includes disaster recovery, emergency operations, frequent data backups, and test restorations

Has a Data Breach Occurred ... Or Not?

A breach under the HIPAA Rules is defined as “…the acquisition, access, use or disclosure of PHI in a manner not permitted under the [HIPAA Privacy Rule] which compromises the security or privacy of the PHI.”

The most common ransomware variants in circulation to date are not designed to “steal” data from infected computers. Rather the intent is to make data unavailable to its owner until a payment is made. With this being the case, it is reasonable to conclude that “disclosure” of data has not occurred and the incident will not rise to the level of a data breach requiring mass notification. Converesely, if a HIPAA covered entity is impacted by such an attack and ePHI has been encrypted by ransomware–it is definitely considered a breach.

According to the HHS Fact Sheet:

“When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a “disclosure” not permitted under the HIPAA Privacy Rule.”

The HHS goes on to further qualify this statement:

Unless the covered entity or business associate can demonstrate a “...low probability that the PHI has been compromised,” based on the factors set forth in the Breach Notification Rule, a breach of PHI is presumed to have occurred.

Quickly engaging an expert third-party incident response professional to perform a comprehensive risk assessment and investigation surrounding the ransomware incident demonstrates a covered entity is acting proactively. Further, it ensures the covered entity is able to defend it's position with facts from an expert investigator showing a “low probability that PHI has been compromised”. This ultimately serves to avoid arduous, expensive, and brand damaging public notification requirements.

Prevent, Detect, and Recover from Ransomware

Fortunately, the HIPAA reporting requirements and security requirements help covered entities prevent and recover from these types of attacks. For more detail about the HHS guidance and in-depth recommendations on how to prevent, detect, and recover from ransomware breaches, review the Ransomware Fact Sheet.