[BreachExchange] OCR Makes It Official: Ransomware Attacks Are HIPAA Breaches

Wed Jul 27 19:56:57 EDT 2016

http://www.jdsupra.com/legalnews/ocr-makes-it-official-ransomware-96324/

Ransomware attacks appear to be increasing in frequency as well as
severity. Ransomware is malicious software that encrypts data until a
ransom is paid to the hacker. For healthcare providers, the inability to
access electronic health records systems due to a ransomware attack is a
disaster scenario. While the decision whether to pay a ransom likely will
continue to plague providers who are attacked, there is new guidance from
the Department of Health and Human Services Office for Civil Rights (OCR)
<http://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf> on how to
handle ransomware attacks under the Health Insurance Portability and
Accountability Act (HIPAA).

The new OCR guidance explains how the security requirements under HIPAA can
assist in preventing, detecting and recovering from ransomware attacks.
Most importantly, OCR states that these attacks constitute “breaches” under
HIPAA. OCR explains how covered entities and business associates should
manage the breach notification process under HIPAA in the event that a
ransomware attack occurs.

*Preventing Ransomware Attacks*

HIPAA’s Security Rule contains standards and requirements for all covered
entities and business associates to evaluate and address vulnerabilities in
their information systems to prevent unauthorized access to electronic
protected health information (ePHI). OCR’s guidance explains that
organizations may prevent ransomware attacks or lessen their severity by
complying with the HIPAA security requirements, including conducting a risk
analysis of vulnerabilities, implementing procedures to guard against and
detect malware, training users on malware protection, and limiting access
to ePHI to only persons or software programs requiring access.

*Detecting Ransomware Attacks*

The OCR guidance provides a list of several indicators of a ransomware
attack. OCR notes that appropriately training employees on these indicators
can assist organizations in detecting the ransomware. The HIPAA Security
Rule requires covered entities and business associates to train their
workforces on security procedures, including detection of unauthorized
activity.

*Recovering from Ransomware Attacks*

Compliance with the HIPAA Security Rule standards can also help
organizations recover from a ransomware attack. The Security Rule requires
organizations to implement plans for responding to security incidents,
including malware attacks. Such plans should incorporate procedures to
isolate infected computer systems and prevent ransomware from spreading.
Response plans should also include processes to analyze ransomware, contain
its impact, eradicate the ransomware and remediate the vulnerabilities that
allowed the ransomware attack. OCR emphasizes that frequent data backups
and ensuring the ability to recover data from such backups will facilitate
recovery from an attack. OCR also encourages organizations to periodically
conduct data restoration tests and maintain backups offline, away from the
networks where data are stored.

*Breach Analysis and Notification*

As with any unauthorized access of health information, covered entities and
business associates must conduct an analysis of a ransomware attack to
determine whether it constitutes a “breach” under HIPAA. OCR confirms that
ransomware attacks constitute a breach, because unauthorized individuals
have taken possession or control of the ePHI, constituting an unauthorized
disclosure. It is presumed that a breach occurred unless the organization
can demonstrate that there is a low probability that the ePHI has been
compromised, based on several factors set forth in the HIPAA breach
notification rule, and the organization must follow the notification
processes required by HIPAA. The OCR guidance notes, however, that the
HIPAA breach notification requirements apply only to “unsecured PHI.” Thus,
if the ePHI that is targeted in a ransomware attack is encrypted in a
manner consistent with HIPAA guidelines, the breach notification safe
harbor may apply. As OCR noted, this determination is fact-specific.

OCR emphasizes throughout the new guidance that security measures, risk
analyses and breach analyses vary depending on an organization’s individual
infrastructure and the specific facts of a potential breach, including
ransomware attacks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160727/8d5015ea/attachment.html>