It’s estimated that 4,000 daily ransomware attacks have occurred in 2016, according to the U.S. Government Interagency Guidance Document, “How to Protect Your Networks from Ransomware.” That’s a 300% increase over the 1,000 daily ransomware attacks reported in 2015. As a result, covered entities (CEs) and business associates (BAs) are wondering whether ransomware attacks on private health information (PHI) are considered HIPAA security breaches.
The question of whether ransomware attacks are considered HIPAA violations is not a simple one. “We need to remember that HIPAA is narrowly drawn and that a breach is defined as the unauthorized ‘access, acquisition, use or disclosure’ of PHI,” states David C. Harlow, Principal, The Harlow Group, LLC. “In many cases, ransomware ‘wraps’ PHI rather than breaches it. This may explain why there are so few public reports of ransomware in healthcare–there is no obligation to report these incidents to OCR,” he concludes.
Some healthcare compliance experts believe that while ransomware attacks do not qualify as HIPAA violations, it creates a “…message of lax security that’s being broadcast to cybercriminals around the world.” However, others believe that these attacks are indeed breaches of HIPAA compliance. They caution, as ransomware becomes an increasingly worrisome problem, it’s imperative to be aware of and take preventive steps against cyber security threats.
If your company manages sensitive data, you’re already aware of the increase in security incidents through the news—data breaches and malware attacks are rampant—but you may wonder how ransomware affects your network and what you need to do to protect your data.
“Ransomware is a form of malware that encrypts files on an infected device and holds them hostage until the user pays a ransom to the malware operators,” says Juliana de Groot, writing for Digital Guardian. According to Groot, millions of dollars have been extorted through ransomware attacks, dating back to 1989 AIDS/PC Cyborg Trojan. Today, common strains of ransomware include Cryptolocker (isolated in 2014), Cryptowall, Locky, and Samas or Samsam.
The U.S. Department of Health and Human Services (HHS) defines it as a type of malicious software, or malware that “attempts to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker who deployed the malware, until a ransom is paid. After the user’s data is encrypted, the ransomware directs the user to pay the ransom to the hacker (usually in a cryptocurrency, such as Bitcoin) in order to receive a decryption key. However, hackers may deploy ransomware that also destroys or exfiltrates data, or ransomware in conjunction with other malware.”
Organizations targeted by ransomware have slim chances of getting their data back unharmed—unless, they meet the hacker’s demands. It’s important to note that paying the ransom does not guarantee that users will receive the decryption key or unlock tools required to regain access to the infected system or files held hostage.
Jack Danahy, cofounder and CTO of the endpoint security company Barkly, writing for Health IT Security, states that ransomware attacks “…need to be disclosed as unauthorized exposures of private information because they are every bit as dangerous as the outright theft of the laptop, desktop, or server that they infect.”
In 2015, hundreds of thousands of records were reported breached because a system that contained ePHI came under the control of criminals. Even if the stolen information is never accessed or used, the fact that it’s in criminal possession is enough to qualify the situation as a HIPAA security breach.
According to the HHS, “…when electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a “disclosure” not permitted under the HIPAA Privacy Rule.”
A breach of the HIPAA Rules is defined as, “…the acquisition, access, use, or disclosure of PHI in a manner not permitted under the [HIPAA Privacy Rule] which compromises the security or privacy of the PHI.”
Most often, ransomware criminals who target health information make demands of the rightful owners so that healthcare provision continues. Sometimes, though, the accessed records will be sold on the dark web, ultimately exposing patients’ personal health information.
Breach disclosure matters because underreporting makes it difficult to create a balanced solution to a complex and costly issue. We are at a crossroads with ransomware, and appropriate disclosure is critical to informed prevention and preparation, HIPAA regulations notwithstanding.
There Is a Solution
Ransomware prevention and recovery—from a healthcare sector perspective—call for a thorough risk analysis. It’s imperative that we identify any and all potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of all sensitive data that’s created, maintained, and transmitted. It is vital CEs and BAs implement security measures sufficient to reduce those identified risks and vulnerabilities to an appropriate level.
At its core, ransomware exploits people’s and companies’ unwillingness to back up their most precious data and files in a way that is completely disconnected from their main PC or network. By not creating separate carbon copies of their photo albums, music, programs, or documents—or their critical system data—this type of malware can hold these folders hostage, and expect the owner to pay because it’s the only version in existence.
Back Up Everything
Data backup is the most secure method to protect yourself against malware. Backing up the operating system and all its contents to an air-gapped external hard drive every single day completely mitigates the risk of ransomware by circumventing the tool it uses to get you to pay in the first place.
Implement HIPAA Security Measures
The HIPAA Security Rule requires security measures that help prevent infiltration of malware, including ransomware. To help healthcare entities better understand and respond to the threat of ransomware, the HHS Office for Civil Rights has released new HIPAA guidance on ransomware. The new guidance reinforces activities required by HIPAA that can help organizations prevent, detect, contain, and respond to threats, including implementing:
- A security management process, which includes conducting a risk analysis to identify threats and vulnerabilities to electronic protected health information (ePHI).
- Procedures to guard against and detect malicious software; training users on malicious software protection.
- Access controls to limit access to ePHI to only those persons or software programs requiring access.
Organizations must take steps to safeguard their data from ransomware attacks. HIPAA covered entities, and business associates are required to develop and implement security incident procedures, as well as response and reporting processes that are reasonable and appropriate to respond to malware and other security incidents. Implementing compliant solutions that incorporate the context of specific business needs doesn’t have to be intimidating to the point of neglecting your most sensitive data security issues.
Ready to learn more about the intricacies of HIPAA compliance? You’ll want to start by reading our HIPAA eBook.
Additional Resources on This Topic: