As ransomware escalates and poses serious security risks for healthcare institutions, many privacy experts and legislators have called for more specific guidance from the U.S. Department of Health and Human Services (HHS).
A few weeks ago, HHS responded to these calls with a detailed fact sheet to explain ransomware and provide advice. Although most of the document outlines what should be obvious for an organization that already has a solid data security plan (including reliable back-ups, workforce training, and contingency plans), the major headline is HHS’s verdict on whether or not a ransomware attack qualifies as a data breach under HIPAA.
The Debate About Ransomware
Prior to the release of this document, healthcare organizations had few legal obligations specific to ransomware. As a ransomware attack locks and encrypts an organization’s data rather than exposes or distributes, many experts did not consider it to constitute a data breach.
But some people maintained that since the personal information is no longer under the control of the organization during a ransomware attack, notification of an incident is crucial. In particular, Congressman Ted Lieu of California, who pushed the HHS for increased guidance, expressed concern that not only is patient privacy compromised, but a ransomware attack could have grave implications on patient care if a hospital cannot access vital records. He said: “If a ransomware attack denies a patient access to their medical record or medical services, the patient needs to know as quickly as possible.”
HHS’s Position About Ransomware
as a Reportable Data Breach
HHS agreed and issued the following statements regarding ransomware and data breaches:
“When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired . . . and thus is a ‘disclosure’ not permitted under the HIPAA Privacy Rule.”
However, the HHS provided details on how an organization can be granted an exception:
“Unless the covered entity or business associate can demonstrate that there is a ‘. . . low probability that the PHI has been compromised,’ based on the factors set forth in the Breach Notification Rule, a breach of PHI is presumed to have occurred.”
The default assumption then, according to the guidance, is that a data breach has occurred in an incident of ransomware, though the document clarifies that “[w]hether or not the presence of ransomware would be a breach under the HIPAA Rules is a fact-specific determination.” An organization may avoid reporting a breach if they can demonstrate that there is a low probability that PHI was compromised in a particular incident. To do this, an organization must assess the following factors:
- the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
- the unauthorized person who used the PHI or to whom the disclosure was made;
- whether the PHI was actually acquired or viewed; and
- the extent to which the risk to the PHI has been mitigated.
If the organization is attacked by ransomware but cannot prove there was a low probability of compromised personal information, they must follow the HIPAA breach notification procedures.
The Bottom Line
So boiling things down, HHS is basically saying:
(1) Avoid assuming that a ransomware attack is not a reportable HIPAA data breach just because the information is encrypted and not in the actual possession of a hacker.
(2) Analyze the situation using the four factors to determine the probability that PHI was compromised.
The Debate Continues
While the new policy is welcomed by many, some feel the new guidelines add an undue burden on an organization when personal information has clearly not been compromised because of the nature of ransomware. In addition, some experts believe that the term “compromise” has still not been spelled out clearly enough. Citing the fact that ransomware attackers are more motivated by quick money than by exposing patient records, several experts believe that it is unnecessary to issue breach notification or consider personal information “compromised” when no data has actually been accessed.
As one commentator argues: “Ransomware simply does not work the way the authors of the new HHS guidelines have implied. Even in a targeted attack, the ransomware authors are not seeking to use any of the data that is encrypted; they are after the value of the target getting back in operation.”
If an organization is already in compliance with HIPAA and has a reliable data security system in place to mitigate and respond to attacks, some feel it is excessive for an organization to prove the four factors necessary to be considered “low probability” of compromised PHI.
I believe that overall, the HHS guidance is a step in the right direction. Organizations shouldn’t rely solely on the assumption that ransomware attackers aren’t interested in anything other an obtaining a ransom payment. Ransomware is rapidly evolving, so it is more prudent not to rely on assumptions. Organizations should do the four-factor analysis under HIPAA to determine whether the risk of PHI being compromised.
As occurrences of ransomware are notoriously underreported, increased information about new strains of attacks could help the industry as a whole in establishing more effective security measures. As these new strains quickly evolve, the urgency for organizations to be prepared and fortify their security has intensified.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. This post was originally posted on his blog at LinkedIn, where Solove is a “LinkedIn Influencer.” His blog has more than 1 million followers.
Professor Solove is the organizer, along with Paul Schwartz of the Privacy + Security Forum (Oct. 24-26, 2016 in Washington, DC), an annual event that aims to bridge the silos between privacy and security.