On July 11, 2016, the U.S. Department of Health & Human Services (HHS) issued a Fact Sheet that provides guidance on (i) how HIPAA Security Rule compliance can assist health care organizations combat ransomware attacks, and (ii) the applicability of HIPAA’s Breach Notification Rule to ransomware attacks. This guidance is particularly timely due to the recent proliferation of ransomware attacks (see, e.g., previous posts here and here), which Office for Civil Rights (OCR) Director Jocelyn Samuels characterizes as “one of the biggest current threats to health information privacy.”
The Fact Sheet defines ransomware as:
“a type of malware (malicious software)… [whose] defining characteristic is that it attempts to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker who deployed the malware, until a ransom is paid.”
HHS notes that ransom is often demanded in a cryptocurrency, such as bitcoin or ether, to reduce the likelihood that the hacker can later be identified.
According to HHS, compliance with the Security Rule can help entities prevent malware attacks and mitigate damage caused by such attacks. The Fact Sheet mostly reiterates fundamental Security Rule requirements in the context of a malware attack, including the importance of a comprehensive risk analysis, implementation of security measures informed by the risk analysis, having a data backup plan as part of an overall contingency plan, security incident response procedures, and appropriate security training for workforce members. The Fact Sheet emphasizes that the Security Rule only establishes minimum security requirements, and health care organizations are encouraged to adopt more stringent measures.
Breach Notification Rule
The Fact Sheet also addresses applicability of the Breach Notification Rule to ransomware attacks. HHS states that when electronic protected health information (ePHI) “is encrypted as a result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired” by an unauthorized person, and therefore the ePHI was “disclosed” in violation of the Privacy Rule.
Interestingly, HHS uses the phrase “a breach has occurred” in the Fact Sheet, but also acknowledges that while an impermissible disclosure is presumed to constitute a reportable breach under the Breach Notification Rule, that presumption can be overcome by demonstrating that there is a low probability that PHI has been compromised based on a risk assessment. The Fact Sheet includes specific guidance on conducting a comprehensive risk assessment after a ransomware attack, but the above excerpt could suggest that HHS will likely be skeptical of claims that there is a low probability that PHI was compromised by a ransomware attack. This interpretation is supported by OCR Director Jocelyn Samuels’s above-cited blog post, which states in pertinent part “[t]he guidance makes clear that a ransomware attack usually results in a breach” under the Breach Notification Rule.
Finally, the Fact Sheet provides an important reminder regarding the benefits of encryption. Because the Breach Notification Rule only applies to “unsecured” PHI, HHS affirms that as long as ePHI has been encrypted in accordance with HHS encryption guidance such that it is no longer “unsecured,” a ransomware attack involving such encrypted ePHI would not constitute a reportable breach.