OCR Releases Guidance on Ransomware: “Your Money or Your PHI”
On Monday, the Office for Civil Rights (OCR) released important new guidance on ransomware for hospitals and other healthcare providers and finally addressed the question of whether electronic protected health information (ePHI) that has been encrypted on a covered entity’s systems, but potentially not accessed by the hacker, has been breached for HIPAA purposes. Back in March, OCR highlighted the threat of ransomware in its “OCR Cyber-Awareness Monthly Update.” Rather than just describing the threat, yesterday’s guidance ties the prevention of, detection of, and response to a ransomware attack to a Covered Entity’s obligations under HIPAA. A key component of the guidance provides a ransomware attack that encrypts a Covered Entity’s ePHI is presumed to be a breach. As ransomware can infect a Covered Entity’s entire system, this presumption may lead to enormous breach notification obligations.
Numerous government agencies (FBI, Department of Homeland Security, Department of Health and Human Services) have warned about the threat ransomware poses to a variety of business, including health care entities. These warnings have come on the heels of attacks against MedStar Health and Hollywood Presbyterian. Ransomware is malicious software that infects a system and either encrypts the data (making it inaccessible to anyone but the hacker) or destroys it. Hackers hold the data hostage and demand a ransom for it (usually payable in Bitcoin). For any business, a ransomware attack can mean a serious disruption in operations. In the Hollywood Presbyterian attack, the hospital was forced to revert to some paper-based systems as electronic systems were inaccessible. For Covered Entities, a ransomware attack impacting ePHI also has HIPAA implications.
Preventing and Detecting Attacks
In yesterday’s guidance, OCR detailed how a robust HIPAA security program can help prevent and detect ransomware attacks. In preventing attacks, OCR focused on:
Conducting and updating a risk assessment and implementing security measures to address risks (hint: if your risk assessment doesn’t include ransomware, it’s not up to date)
Workforce training on ransomware
Access controls that limit user access to ePHI
In detecting and recovering from ransomware attacks, OCR noted:
The importance of frequent data backups to aid in data recovery
The ability to detect and conduct a preliminary analysis of the threat
Being prepared to activate the entity’s contingency plan (a HIPAA security requirement) and security incident response procedures
The guidance also walks through the process of assessing whether a ransomware attack constitutes a breach of PHI under HIPAA. There has been confusion in the health care community regarding whether an attack that encrypts PHI (thereby prohibiting the entity from accessing its own records, but not necessarily permitting a hacker to access the records) could constitute a breach (defined as “. . . the acquisition, access, use, or disclosure of PHI in a manner not permitted under the [HIPAA Privacy Rule] which compromises the security or privacy of the PHI.”). OCR indicates that when ePHI is encrypted as a result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals took possession of the information) and is thus a “disclosure” not permitted under the HIPAA Privacy Rule has occurred.
Interestingly, OCR suggests in the guidance that, as in any breach analysis, the unauthorized acquisition of PHI in a ransomware attack does not constitute a breach for HIPAA purposes if the entity can demonstrate that there is a “low probability that the PHI has been compromised.” Determining whether this standard is met requires assessing the four factors set forth in the Breach Notification Rule (45 C.F.R. § 164.400-414), in conjunction with the guidance provided in the Preamble to the Omnibus Rule. Additionally, OCR indicates that entities are “encouraged to consider additional factors” in determining the probability of compromise, including risks to the availability and integrity of the data. Verifying a low probability of compromise in a malware situation is an uphill battle that will require a detailed understanding of the malware and how it is programmed to perform; as well as understanding how the malware propagates throughout an enterprise, the data that it is searching for and whether or not it is programmed to exfiltrate data, or deposit malicious software or exploit other vulnerabilities to provide future unauthorized access. If the covered entity is seeking to demonstrate low probability of compromise, it will have to conduct and document this analysis within HIPAA’s breach notification time constraints and those of overlapping state data security laws.
Finally, OCR addressed the question of whether a ransomware attack affects ePHI that was already encrypted could constitute a reportable breach. OCR indicates that this is a fact-specific determination that hinges on whether the data was actually encrypted at the time the ransomware accessed the file. For example, even if a laptop is equipped with full disk encryption, if an authorized user is logged in and clicks a malicious link, the ransomware may access ePHI that is transparently decrypted (just as the user could access decrypted PHI). In that instance, the files accessed are unsecured PHI and the incident is presumed to be a breach.
OCR’s guidance makes clear that a ransomware attack, like all breaches, is best addressed proactively, through steps such as employee training, to prevent ransomware attacks in the first place; data backup, to prevent disruption of services and ensure the integrity of ePHI; and careful breach response planning, to ensure the availability of forensics and technical support necessary to support mitigation and notification decisions. The guidance also makes clear that OCR will view a ransomware attack as a compliance failure, and not the unavoidable result of a sophisticated hacker.