In response to the WannaCry ransomware attack that infiltrated the computer systems of health care systems and other entities worldwide on or around May 12, 2017 (previously discussed here), HHS’ Office of the Assistant Secretary for Preparedness and Response (ASPR) issued a series of updates to provide consumers and potentially affected organizations with information on the attack and to detail HHS’ efforts to mitigate the harmful effects of the attack on government computer systems and health care organizations.
In five successive updates issued between May 13 and May 17, ASPR provided links to the most up-to-date information from the U.S. government on cyber threats (including from the US-CERT Cyber Awareness System, the FBI, HHS’ Healthcare Cybersecurity and Communications Integration Center (HCCIC)), and solicited information on new attack vectors, as well as regarding any impact the attack may have had on patient care or supply chain distribution.
For organizations that qualify as covered entities under HIPAA, ASPR’s guidance reminded such entities that OCR presumes a breach in the event of a ransomware attack affecting unencrypted PHI (as set forth in its previous ransomware guidance, discussed here), and that breaches caused by ransomware attacks must be reported to OCR in accordance with the Breach Notification Rule (even if an entity separately reports the attack to law enforcement, or a separate division within HHS). Additionally, ASPR guided potentially affected entities to an FAQ issued by OCR in September, 2016, which in pertinent part provides that covered entities may not disclose PHI for purposes of cybersecurity information-sharing of cyber threat indicators. As a result, covered entities seeking to report cyber threat indicators related to WannaCry or a future ransomware attack would be well advised to remove PHI from any such reports.
In its final update, the ASPR set forth a mechanism for submission of “After Action” thoughts and comments regarding the government’s response to the WannaCry attack, and shared information on processes for victim reporting and cyber threat indicator sharing. ASPR also provided information in the form of FAQs on the FDA’s oversight of medical devices in the context of cybersecurity (with related guidance available here).