New OCR Ransomware Fact Sheet Explains a Covered Entity’s Obligations
Ransomware is currently the fastest growing malware threat. On average, over 4,000 ransomware attacks occur daily against individuals, businesses, and governments. Victims of successful attacks must determine the extent of the damage, which is often difficult and expensive. Many healthcare providers have experienced these attacks, ranging from business records and systems to electronic health records. Experts anticipate that these attacks will increase in the near future.
A typical attack involves tricking users into opening infected attachments or disclosing passwords through social engineering. Malicious code then encrypts users’ data on the infected device and can spread to encrypt network drives. A successful attacker will eventually send a message demanding payment for the decryption key. Receipt of that message is often the first point in time when victims realize their devices have been infected.
Ransomware poses extra problems under HIPAA’s Privacy Rule because it can affect protected health information (“PHI”) and trigger reporting or notification requirements. To be a violation of HIPAA’s Privacy Rule, an impermissible use or disclosure of PHI must have occurred. If ransomware simply encrypts or locks PHI stored on local computers or servers without exfiltration, it is arguably not a disclosure. However, the Office of Civil Rights (“OCR”) recently issued a Fact Sheet stating the simple act of encryption, regardless of exfiltration, is presumed to be a breach because it is an “acquisition” of ePHI and “thus is a ‘disclosure’ not permitted under the HIPAA Privacy Rule.” To overcome the presumption of a breach, covered entities must prove there was a low probability of compromise.
Because OCR has taken this broad interpretation of disclosure, victims of ransomware must perform a forensic analysis, typically by third-party experts, to determine whether PHI has been compromised. If the covered entity can prove there is a low probability that PHI has been compromised, then there are no notification or reporting requirements. To show a low probability of compromise, victims must assess four factors, at minimum:
- The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
- The unauthorized person who used the protected health information or to whom the disclosure was made;
- Whether the protected health information was actually acquired or viewed; and
- The extent to which the risk to the protected health information has been mitigated.
We advise clients that a forensic analysis to determine the nature of the malware affecting their system is necessary. At some point, ransomware variants may do more than merely encrypt the data. Covered entities must know what variant they are dealing with and what that malware does with the systems and data it has infiltrated. It is our recommendation that when performing a forensic analysis, covered entities should also assess the probability of compromise and whether data was actually acquired or viewed. OCR also suggests considering whether the attack posed a risk to the availability or integrity of the data, especially if it could affect medical diagnosis or treatment.
Thoughtful and thorough documentation is essential following a ransomware attack.
At present, the most effective way to deal with ransomware is to couple employee training about ransomware with a quick and effective security incident response program. Organizations should also be prepared to restore data from a current backup (which has not been infected by malware). Finally, OCR strongly suggests contacting local FBI or Secret Service field offices to aid in cybercrime investigations.