December 1, 2022

Volume XII, Number 335


November 30, 2022

Subscribe to Latest Legal News and Analysis

November 29, 2022

Subscribe to Latest Legal News and Analysis

November 28, 2022

Subscribe to Latest Legal News and Analysis

OCR Releases Guidance on Ransomware: “Your Money or Your PHI”

On Monday, the Office for Civil Rights (OCR) released important new guidance on ransomware for hospitals and other healthcare providers and finally addressed the question of whether electronic protected health information (ePHI) that has been encrypted on a covered entity’s systems, but potentially not accessed by the hacker, has been breached for HIPAA purposes. Back in March, OCR highlighted the threat of ransomware in its “OCR Cyber-Awareness Monthly Update.” Rather than just describing the threat, yesterday’s guidance ties the prevention of, detection of, and response to a ransomware attack to a Covered Entity’s obligations under HIPAA.  A key component of the guidance provides a ransomware attack that encrypts a Covered Entity’s ePHI is presumed to be a breach. As ransomware can infect a Covered Entity’s entire system, this presumption may lead to enormous breach notification obligations.

Numerous government agencies (FBI, Department of Homeland Security, Department of Health and Human Services) have warned about the threat ransomware poses to a variety of business, including health care entities. These warnings have come on the heels of attacks against MedStar Health and Hollywood Presbyterian. Ransomware is malicious software that infects a system and either encrypts the data (making it inaccessible to anyone but the hacker) or destroys it.  Hackers hold the data hostage and demand a ransom for it (usually payable in Bitcoin).  For any business, a ransomware attack can mean a serious disruption in operations. In the Hollywood Presbyterian attack, the hospital was forced to revert to some paper-based systems as electronic systems were inaccessible.  For Covered Entities, a ransomware attack impacting ePHI also has HIPAA implications.

Preventing and Detecting Attacks

In yesterday’s guidance, OCR detailed how a robust HIPAA security program can help prevent and detect ransomware attacks. In preventing attacks, OCR focused on:

  • Conducting and updating a risk assessment and implementing security measures to address risks (hint: if your risk assessment doesn’t include ransomware, it’s not up to date)

  • Workforce training on ransomware

  • Access controls that limit user access to ePHI

In detecting and recovering from ransomware attacks, OCR noted:

  • The importance of frequent data backups to aid in data recovery

  • The ability to detect and conduct a preliminary analysis of the threat

  • Being prepared to activate the entity’s contingency plan (a HIPAA security requirement) and security incident response procedures

Breach Analysis

The guidance also walks through the process of assessing whether a ransomware attack constitutes a breach of PHI under HIPAA. There has been confusion in the health care community regarding whether an attack that encrypts PHI (thereby prohibiting the entity from accessing its own records, but not necessarily permitting a hacker to access the records) could constitute a breach (defined as “. . . the acquisition, access, use, or disclosure of PHI in a manner not permitted under the [HIPAA Privacy Rule] which compromises the security or privacy of the PHI.”).   OCR indicates that when ePHI is encrypted as a result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals took possession of the information) and is thus a “disclosure” not permitted under the HIPAA Privacy Rule has occurred.

Interestingly, OCR suggests in the guidance that, as in any breach analysis, the unauthorized acquisition of PHI in a ransomware attack does not constitute a breach for HIPAA purposes if the entity can demonstrate that there is a “low probability that the PHI has been compromised.” Determining whether this standard is met requires assessing the four factors set forth in the Breach Notification Rule (45 C.F.R. § 164.400-414), in conjunction with the guidance provided in the Preamble to the Omnibus Rule.  Additionally, OCR indicates that entities are “encouraged to consider additional factors” in determining the probability of compromise, including risks to the availability and integrity of the data.  Verifying a low probability of compromise in a malware situation is an uphill battle that will require a detailed understanding of the malware and how it is programmed to perform; as well as understanding how the malware propagates throughout an enterprise, the data that it is searching for and whether or not it is programmed to exfiltrate data, or deposit malicious software or exploit other vulnerabilities to provide future unauthorized access. If the covered entity is seeking to demonstrate low probability of compromise, it will have to conduct and document this analysis within HIPAA’s breach notification time constraints and those of overlapping state data security laws.

Finally, OCR addressed the question of whether a ransomware attack affects ePHI that was already encrypted could constitute a reportable breach. OCR indicates that this is a fact-specific determination that hinges on whether the data was actually encrypted at the time the ransomware accessed the file.  For example, even if a laptop is equipped with full disk encryption, if an authorized user is logged in and clicks a malicious link, the ransomware may access ePHI that is transparently decrypted (just as the user could access decrypted PHI).  In that instance, the files accessed are unsecured PHI and the incident is presumed to be a breach.

OCR’s guidance makes clear that a ransomware attack, like all breaches, is best addressed proactively, through steps such as employee training, to prevent ransomware attacks in the first place; data backup, to prevent disruption of services and ensure the integrity of ePHI; and careful breach response planning, to ensure the availability of forensics and technical support necessary to support mitigation and notification decisions. The guidance also makes clear that OCR will view a ransomware attack as a compliance failure, and not the unavoidable result of a sophisticated hacker.

©1994-2022 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.National Law Review, Volume VI, Number 194

About this Author

Dianne Borque, Health Care, licensure, risk management, attorney, Mintz
Of Counsel

Dianne advises a variety of health care clients on a broad range of issues, including licensure, regulatory, contractual, and risk management matters, and patient care. As former in-house counsel to an academic medical center, a large part of her practice involves counseling researchers and research sponsors in matters related to FDA and OHRP regulated clinical research, including patient consent, access to and use of tissue and associated patient information, and the Institutional Review Board process. In addition, Dianne currently serves as a Vice Chair of AHLA's...

(617) 348-1614