[BreachExchange] Defining ransomware and data breach disclosure

Mon Jul 25 18:46:29 EDT 2016

http://www.csoonline.com/article/3096758/application-security/defining-ransomware-and-data-breach-disclosure.html

Earlier this year, Hollywood Presbyterian Medical Center paid a $17,000
ransom in Bitcoin to unlock the hacker-imposed encryption on its data. A
recent federal interagency report announced that since Jan. 1, 2016, there
have already been over 4,000 reported ransomware incidents per day, more
than three times the 1,000 such daily attacks that occurred throughout all
of 2015.

What are the effects of ransomware that have caused its recent rise to fame?

First, it must be established what happens during a ransomware incident. A
miscreant hacker gets through whatever protective physical and/or digital
barriers are in place to keep unauthorized persons from reaching specific
business critical data. The purpose of this attack is not so the hacker can
obtain a copy of the critical data. Instead, the perpetrator encrypts the
victim’s data to make it unusable by the authorized possessor. The hacker
can then extort money from the victim in order to decrypt the data and
return it to its usable format.

Second, this significant increase of such attacks has recently caused the
Office for Civil Rights (OCR) of the U.S. Department of Health and Human
Services, the federal agency responsible for investigating HIPAA breaches,
to recently issue a guidance analyzing whether a ransomware incident
constitutes a reportable health care breach under federal law.

Is ransomware a HIPAA breach of electronic Protected Health Information
(ePHI)?

Title 45 of the Code of Federal Regulations contains the relevant HIPAA
provisions. Section 164.402 of Title 45 provides the definition of the term
breach as it pertains to ePHI: “Breach means the acquisition, access, use,
or disclosure of protected health information…which compromises the
security or privacy of the protected health information.” So the question
becomes “does a ransomware attack cause the “acquisition, access, use or
disclosure” of ePHI?”

No court decision has yet to address this issue, but expert commentators
have taken either side of the argument.

Some believe that a ransomware attack is a HIPAA violation, because the
systems being accessed are no longer under the control of the healthcare
provider. There are others, however, that posit that ransomware would not
result in a reportable breach since ransomware doesn’t actually provide the
hacker access to ePHI. Of course, whatever side you take on the HIPAA
violation/no violation argument, one important fact cannot be ignored: The
victim of the attack is unable to use the encrypted data.

What is OCR’s view?

The recent guidance issued by OCR does definitely state that the “HIPAA
Security Rule requires implementation of security measures that can prevent
the introduction of malware, including ransomware” and also requires that
covered entities and business associates “implement policies and procedures
that can assist…in responding to and recovering from a ransomware attack.”

The guidance further acknowledges that the presence of ransomware does
constitute a “security incident” pursuant to 45 C.F.R. § 164.304, which
requires the initiations of “security incident and response and reporting
procedures,” per 45 C.F.R. § 164.308(a)(6). The guidance advises that upon
discovery of a ransomware attack, the health care entity should immediately
implement its incident response plan which should include, at a minimum,
“measures to isolate the affected computer systems in order to halt the
propagation of the attack.” The entity should also consider reporting the
incident to the appropriate FBI or U.S. Secret Service Field Office so that
necessary federal, state and local law enforcement agencies are
appropriately deployed to “pursue cyber criminals globally and assist
victims of cybercrime.”

What other response factors should be considered?

To date, no court or regulatory judge has ruled that a ransomware incident
constitutes a reportable HIPAA breach. If an affected entity has a backup
copy of its data that has been encrypted by ransomware, it is possible this
copy could be used to regenerate that entity’s operational systems. The
backup copy should be reviewed first by competent professionals to ensure
that it does not also contain the ransomware or other malicious malware.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160725/2a196a32/attachment.html>