Is your healthcare practice vulnerable to ransomware? More and more hospitals and healthcare institutions are falling victim to these types of cyber attacks. Healthcare ransomware is a serious epidemic on the rise, attacking large and small institutions alike.
What is ransomware? Ransomware is malicious software that encrypts a user's data, denying access until a ransom is paid. In order to receive the decryption key, the user is instructed to pay the ransom, usually in cryptocurrency, such as Bitcoin. Some ransomware can even destroy or export data, in addition to simply holding it for ransom. Ransomware is often hidden in phishing emails and delivered through attachments that are unknowingly opened by the recipient.
For healthcare institutions that are victims of ransomware, the question must be, "Is a ransomware attack considered a HIPAA breach?" The answer is, "It depends." Each ransomware incident must be investigated by the affected organization on a case-by-case basis.
Let's begin with the definition of a HIPAA breach. The U.S. Department of Health and Human Services (HHS) defines a breach of protected health information (PHI) as, "...the acquisition, access, use, or disclosure of PHI in a manner not permitted under the [HIPAA Privacy Rule] which compromises the security or privacy of the PHI." According to guidance recently published by HHS, "When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a 'disclosure' not permitted under the HIPAA Privacy Rule. Unless the covered entity or business associate can demonstrate that there is a '...low probability that the PHI has been compromised,' based on the factors set forth in the Breach Notification Rule, a breach of PHI is presumed to have occurred."
HHS requires organizations affected by malicious software, such as ransomware, to demonstrate that there is a low probability that PHI has been compromised, by conducting a written breach risk assessment. The following elements must be considered:
The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
The unauthorized person who used the PHI or to whom the disclosure was made;
Whether the PHI was actually acquired or viewed; and
The extent to which the risk to the PHI has been mitigated.
Specifically, a thorough risk assessment should reveal, for example, the type of malware discovered; the algorithmic steps undertaken by the malware; communications between the hacker and the malicious software (including exfiltration attempts), and whether or not the malware had spread to other systems, potentially affecting additional sources of electronic protected health information (ePHI).
Of course, it's always better to be proactive than reactive. Hospitals and healthcare practices can reduce their risk of a malware attack by implementing security measures outlined in the HIPAA Security Rule, including:
Conducting a formal security risk analysis to identify threats and vulnerabilities to ePHI;
Implementing a risk management process to mitigate and remediate identified vulnerabilities;
Applying procedures to guard against and detect malicious software;
Training users to recognize phishing emails and be wary of suspicious websites, and establishing a reporting mechanism for users to report unusual activity; and
Limiting access to ePHI to those users and entities who require it.
A publication by the Department of Health and Human Services (HHS) titled, "FACT SHEET: Ransomware and HIPAA," provides additional information on the HIPAA requirements, and how to prevent and respond to ransomware. It's available here.
Conducting an annual onsite security risk analysis and mock HIPAA audit will help pinpoint your areas of vulnerability in order to reduce your risks of unauthorized access to PHI. In addition, performing regular HIPAA training helps your employees understand how to effectively safeguard your patient's health information from security threats. Lastly, establishing written organizational HIPAA policies and procedures to address the specifications of the Privacy, Security, Breach, and Omnibus Rules is an important requirement that will help keep you focused on protecting confidential health information.