[BreachExchange] The Wicked Way Ransomware Can Get You in Regulatory Hot Water

Thu Aug 4 19:48:45 EDT 2016

http://www.lexology.com/library/detail.aspx?g=eb237bd8-de9d-4b44-972d-
b90de1886050

Last year we predicted an increase in enforcement activity against
companies with allegedly defective cybersecurity practices that fail to
protect consumer data against hackers. Our prediction stemmed from a
federal appeals court decision upholding the Federal Trade Commission’s
authority to pursue regulatory enforcement action against a victim of a
major cyber-attack. At the time, we noted that FTC cybersecurity actions
relate more to failed promises about security than defects in security
itself.

Fast forward to July 2016, when an alarming enforcement threat was included
in guidance from the Health & Human Services’ Office for Civil Rights,
which enforces the HIPAA Security rule.  The new guidance, according to
HHS, is “designed to help health care entities better understand and
respond to the threat of ransomware.”

But it’s more than that. The unwanted encryption of Personal Health
Information following a ransomware attack may be treated by HHS as a HIPAA
breach, even when the PHI had already been encrypted by the covered entity
to comply with the Security Rule.

How can this be?  After all, when it comes to protecting personal
information, encryption is good, right?

Yes, encryption is a way to comply with the HIPAA Security Rule’s
requirement to limit access to electronic personal health information to
only those persons requiring access. Ransomware spreads a second,
malevolent encryption, making data useless until the victim pays up for an
encryption key, as they often do.

If the goal of encryption is to keep unauthorized users away, redundant
encryption, though terrible to deal with, doesn’t seem to increase the
likelihood the twice-scrambled data can be exploited.

So how is it a breach?

HHS/OCR says whether or not the presence of ransomware would be a breach
under the HIPAA Rules is a fact-specific determination, noting a breach
under the HIPAA Rules is defined as, “…the acquisition, access, use, or
disclosure of PHI in a manner not permitted which . . . compromises the
security or privacy of the PHI.”

The guidance says OCR will presume a breach of PHI because the action of
the ransomware itself is necessarily an unauthorized “possession or
control” of the information and is thus a “disclosure” not permitted under
the HIPAA Privacy Rule.  The new guidance puts the burden on the covered
entity or associated business to conduct a post-attack risk assessment that
is thorough, completed in good faith and reaches reasonable conclusions to
determine the probability PHI was compromised.

The guidance also outlines numerous possibilities, largely implying that
ransomware victims are expected to comply with the applicable breach
notification provisions, including to affected individuals, the Secretary
of HHS, and the media if the breach affects more than 500 individuals, in
accordance with HIPAA breach notification requirements.

Our suggestion:  if you are not yet a ransomware victim, make sure your
encryption practices related to PHI will assure a low probability of
“compromise” in the event of unwelcome encryption by criminals.  Unless you
are intimately familiar with encryption standards for data at rest, you may
need assistance from your IT expert and your lawyer. And, if attacked by a
ransomware-wielding criminal, engage counsel immediately because your
thorough, good faith and reasonable forensic examination ought to be done
by IT experts working with your counsel and protected by attorney client
privilege. If your experts determine there has not been a reportable
breach, you may have to justify that determination to regulators at
HHS/OCR.  This could be especially true if the attack on your business has
drawn media attention.

Check Your Protection Plan

Whatever your business, if you handle personally identifiable information,
credit cards or any other form of electronic payments, especially for
consumers, it is critical to review your cybersecurity and privacy
policies, in light of your actual business practices.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160804/1da400bb/attachment.html>