Skip to content Skip to navigation

HHS OCR Issues Guidance on Ransomware Attacks and HIPAA Breaches

July 12, 2016
by Heather Landi
| Reprints
Click To View Gallery

Is a ransomware attack on a healthcare organization’s or business associate’s computer system a breach under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule? If the electronic protected health information (ePHI) has been encrypted as a result of ransomware, then yes, according to newly released guidance from the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR).

Unless the covered entity or business associate can demonstrate that there is a “...low probability that the PHI has been compromised,” based on the factors set forth in the Breach Notification Rule, a breach of PHI is presumed to have occurred, according to the HHS ransomware and HIPAA guidance. This means that a healthcare organization, or a business associate, that has been subjected to a ransomware attack “must comply with the applicable breach notification provisions, including notification to affected individuals without unreasonable delay, to the Secretary of HHS, and to the media (for breaches affecting over 500 individuals) in accordance with HIPAA breach notification requirements," the OCR guidance stated, citing federal regulations under 45 C.F.R. 164.400-414.

HHS OCR released the ransomware and HIPAA guidance at a time when healthcare organizations are increasingly faced with new cybersecurity threats. The guidance aims to provide healthcare organizations with information about ransomware attack prevention and recovery from a healthcare sector perspective, including the role HIPAA has in assisting HIPAA covered entities and business associates to prevent and recover from ransomware attacks, and how HIPAA breach notification processes should be managed in response to a ransomware attack.

According to HHS, a recent U.S. government interagency report indicates that, on average, there have been 4,000 daily ransomware attacks since early 2016 (a 300 percent increase over the 1,000 daily ransomware attacks reported in 2015). Ransomware exploits human and technical weaknesses to gain access to an organization’s technical infrastructure in order to deny the organization access to its own data by encrypting that data, HHS stated.

The guidance seems to be line with recent calls from the industry and legislators for HHS to develop guidance that recognizes the differences between ransomware and traditional data breaches under the HIPAA Privacy Rules. As previously reported by Healthcare Informatics, Representatives Ted Lieu (D-Los Angeles County) and Will Hurd (R-San Antonio) recently wrote a letter to Deven McGraw, Deputy Director of the Office of Civil Rights (OCR) under HHS calling on federal regulators to treat ransomware attacks as breaches under the Health Information Technology for Economic and Clinical Health (HITECH) Act and recommend guidance that “aggressively requires reporting of ransomware attacks to regulators.”

In the letter, Reps. Hurd and Lieu wrote, "If the provider or other party providing care would be either unable to care for the patient or unable to provide information critical to the care for the person, swift patient notification is paramount, but if the ransomware does not affect patient safety then patient notification may be unnecessary."

Specifically addressing the issue of whether or not the presence of ransomware constitutes a breach under the HIPAA rules, the HHS guidance states that it is a “fact-specific determination.” A breach under the HIPAA Rules is defined as “…the acquisition, access, use or disclosure of PHI in a manner not permitted under the [HIPAA Privacy Rule] which compromises the security or privacy of the PHI,” according to HHS, citing federal code 45 C.F.R. 164.402.

“When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a “disclosure” not permitted under the HIPAA Privacy Rule,” the HHS guidance stated.

As stated above, if a healthcare organization can demonstrate a “low probability” that the PHI has been compromised, then a breach notification is not required.

According to the HHS guidance, in order to demonstrate that there is a low probability that the PHI has been compromised because of a breach, healthcare organizations have to conduct a risk assessment considering at least four of the following factors:

  • The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification
  • The unauthorized person who used the PHI or to whom the disclosure was made
  • Whether the PHI was actually acquired or viewed
  • The extent to which the risk to the PHI has been mitigated

The agency also states that a thorough evaluation of the ransomware attack as a result of a security incident response could help reveal the exact type and variant of malware discovered, the algorithmic steps undertaken by the malware and whether or not the malware propagated to other systems, and this could help organizations with the risk assessment process.

And, HHS encourages organizations to also consider if there is a high risk of unavailability of the data, or high risk to the integrity of the data, as such additional factors may indicate compromise. “In those cases, entities must provide notification to individuals without unreasonable delay, particularly given that any delay may impact healthcare service and patient safety,” the HHS guidance stated.

In addition, HHS also recommends organizations consider the impact of the ransomware on the integrity of the patient data (PHI). The agency states that frequently ransomware, after encrypting the data it was seeking, deletes the original data and leaves only the data in encrypted form. “An entity may be able to show mitigation of the impact of a ransomware attack affecting the integrity of the PHI through the implementation of robust contingency plans including disaster recovery and data backup plans,” the HHS guidance stated.

“Test restorations should be periodically conducted to verify the integrity of backed up data and provide confidence in an organization’s data restoration capabilities,” HHS stated, also noting that organizations should consider whether or not PHI has been exfiltrated.

Regarding ePHI that was already encrypted by the organization to comply with HIPAA, the HHS guidance states that the HIPAA breach notification provisions apply to “unsecured PHI,” which is PHI that is not secured through the use of a technology or methodology. If the ePHI is encrypted by the healthcare organization in a manner consistent with the Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals, then the organization is not required to conduct a risk assessment to determine if there is a low probability of compromise, and breach notification is not required, HHS stated.

However, the HHS guidance notes that even if the PHI is encrypted, additional analysis may still be required to ensure the encryption solution has rendered the affected PHI “unreadable, unusable and indecipherable to unauthorized persons.”

As an example, the HHS guidance cites a laptop encrypted with a full disk encryption solution in a manner consistent with HHS guidance that is properly shut down and powered off and then lost or stolen. The data on the laptop would be unreadable, unusable and indecipherable to anyone other than the authenticated user. “Because the PHI on the laptop is not “unsecured PHI”, a covered entity or business associate need not perform a risk assessment to determine a low probability of compromise or provide breach notification,” HHS stated.

In contrast, according to the guidance, if the laptop is powered on and in use by an authenticated user, who then performs an action (clicks on a link to a malicious website, opens an attachment from a phishing email, etc.) that infects the laptop with ransomware, there could be a breach of PHI. “If full disk encryption is the only encryption solution in use to protect the PHI and if the ransomware accesses the file containing the PHI, the file containing the PHI will be transparently decrypted by the full disk encryption solution and access permitted with the same access levels granted to the user,” the HHS guidance stated.

“Because the file containing the PHI was decrypted and thus ‘unsecured PHI’ at the point in time that the ransomware accessed the file, an impermissible disclosure of PHI was made and a breach is presumed. Under the HIPAA Breach Notification Rule, notification in accordance with 45 CFR 164.404 is required unless the entity can demonstrate a low probability of compromise of the PHI based on the four factor risk assessment,” the HHS guidance also stated.








ONC National Coordinator Gets Live Look at Carequality Data Exchange

Officials from Carequality have stated that there are now more than 150,000 clinicians across 11,000 clinics and 500 hospitals live on its network. These participants are also able to share health data records with one another, regardless of technology vendor.

American Red Cross, Teladoc to Provide Telehealth Services to Disaster Victims

The American Red Cross announced a partnership with Teladoc to deliver remote medical care to communities in the United States that are significantly affected by disasters.

Report: The Business of Cybercrime in Healthcare is Growing

While stolen financial data still has a higher market value than stolen medical records, as financial data can be monetized faster, there are indications that there is ongoing development of a market for stolen medical data, according to an Intel Security McAfee Labs report.

Phishing Attack at Baystate Health Potentially Exposes Data of 13K Patients

A phishing scam at Baystate Health in Springfield, Mass. has potentially exposed the personal data of 13,000 patients, according to a privacy statement from the patient care organization and a report from MassLive.

New Use Cases Driving Growth in Health Data Exchange through Direct

In an update, DirectTrust reported significant growth in Direct exchange of health information and the number of trusted Direct addressed enabled to share personal health information (PHI) in the third quarter of 2016.

Insurers to CBO: Consider Private Insurers’ Data in Evaluations of Telemedicine

Eleven private insurers, including Aetna, Humana and Anthem, are urging the Congressional Budget Office (CBO) to consider the experience of commercial insurers when evaluating the impact of telemedicine coverage in Medicare.