Is a ransomware attack on a healthcare organization’s or business associate’s computer system a breach under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule? If the electronic protected health information (ePHI) has been encrypted as a result of ransomware, then yes, according to newly released guidance from the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR).
Unless the covered entity or business associate can demonstrate that there is a “...low probability that the PHI has been compromised,” based on the factors set forth in the Breach Notification Rule, a breach of PHI is presumed to have occurred, according to the HHS ransomware and HIPAA guidance. This means that a healthcare organization, or a business associate, that has been subjected to a ransomware attack “must comply with the applicable breach notification provisions, including notification to affected individuals without unreasonable delay, to the Secretary of HHS, and to the media (for breaches affecting over 500 individuals) in accordance with HIPAA breach notification requirements," the OCR guidance stated, citing federal regulations under 45 C.F.R. 164.400-414.
HHS OCR released the ransomware and HIPAA guidance at a time when healthcare organizations are increasingly faced with new cybersecurity threats. The guidance aims to provide healthcare organizations with information about ransomware attack prevention and recovery from a healthcare sector perspective, including the role HIPAA has in assisting HIPAA covered entities and business associates to prevent and recover from ransomware attacks, and how HIPAA breach notification processes should be managed in response to a ransomware attack.
According to HHS, a recent U.S. government interagency report indicates that, on average, there have been 4,000 daily ransomware attacks since early 2016 (a 300 percent increase over the 1,000 daily ransomware attacks reported in 2015). Ransomware exploits human and technical weaknesses to gain access to an organization’s technical infrastructure in order to deny the organization access to its own data by encrypting that data, HHS stated.
The guidance seems to be line with recent calls from the industry and legislators for HHS to develop guidance that recognizes the differences between ransomware and traditional data breaches under the HIPAA Privacy Rules. As previously reported by Healthcare Informatics, Representatives Ted Lieu (D-Los Angeles County) and Will Hurd (R-San Antonio) recently wrote a letter to Deven McGraw, Deputy Director of the Office of Civil Rights (OCR) under HHS calling on federal regulators to treat ransomware attacks as breaches under the Health Information Technology for Economic and Clinical Health (HITECH) Act and recommend guidance that “aggressively requires reporting of ransomware attacks to regulators.”
In the letter, Reps. Hurd and Lieu wrote, "If the provider or other party providing care would be either unable to care for the patient or unable to provide information critical to the care for the person, swift patient notification is paramount, but if the ransomware does not affect patient safety then patient notification may be unnecessary."
Specifically addressing the issue of whether or not the presence of ransomware constitutes a breach under the HIPAA rules, the HHS guidance states that it is a “fact-specific determination.” A breach under the HIPAA Rules is defined as “…the acquisition, access, use or disclosure of PHI in a manner not permitted under the [HIPAA Privacy Rule] which compromises the security or privacy of the PHI,” according to HHS, citing federal code 45 C.F.R. 164.402.
“When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a “disclosure” not permitted under the HIPAA Privacy Rule,” the HHS guidance stated.
As stated above, if a healthcare organization can demonstrate a “low probability” that the PHI has been compromised, then a breach notification is not required.
According to the HHS guidance, in order to demonstrate that there is a low probability that the PHI has been compromised because of a breach, healthcare organizations have to conduct a risk assessment considering at least four of the following factors:
- The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification
- The unauthorized person who used the PHI or to whom the disclosure was made
- Whether the PHI was actually acquired or viewed
- The extent to which the risk to the PHI has been mitigated
The agency also states that a thorough evaluation of the ransomware attack as a result of a security incident response could help reveal the exact type and variant of malware discovered, the algorithmic steps undertaken by the malware and whether or not the malware propagated to other systems, and this could help organizations with the risk assessment process.
And, HHS encourages organizations to also consider if there is a high risk of unavailability of the data, or high risk to the integrity of the data, as such additional factors may indicate compromise. “In those cases, entities must provide notification to individuals without unreasonable delay, particularly given that any delay may impact healthcare service and patient safety,” the HHS guidance stated.
In addition, HHS also recommends organizations consider the impact of the ransomware on the integrity of the patient data (PHI). The agency states that frequently ransomware, after encrypting the data it was seeking, deletes the original data and leaves only the data in encrypted form. “An entity may be able to show mitigation of the impact of a ransomware attack affecting the integrity of the PHI through the implementation of robust contingency plans including disaster recovery and data backup plans,” the HHS guidance stated.
“Test restorations should be periodically conducted to verify the integrity of backed up data and provide confidence in an organization’s data restoration capabilities,” HHS stated, also noting that organizations should consider whether or not PHI has been exfiltrated.
Regarding ePHI that was already encrypted by the organization to comply with HIPAA, the HHS guidance states that the HIPAA breach notification provisions apply to “unsecured PHI,” which is PHI that is not secured through the use of a technology or methodology. If the ePHI is encrypted by the healthcare organization in a manner consistent with the Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals, then the organization is not required to conduct a risk assessment to determine if there is a low probability of compromise, and breach notification is not required, HHS stated.
However, the HHS guidance notes that even if the PHI is encrypted, additional analysis may still be required to ensure the encryption solution has rendered the affected PHI “unreadable, unusable and indecipherable to unauthorized persons.”
As an example, the HHS guidance cites a laptop encrypted with a full disk encryption solution in a manner consistent with HHS guidance that is properly shut down and powered off and then lost or stolen. The data on the laptop would be unreadable, unusable and indecipherable to anyone other than the authenticated user. “Because the PHI on the laptop is not “unsecured PHI”, a covered entity or business associate need not perform a risk assessment to determine a low probability of compromise or provide breach notification,” HHS stated.
In contrast, according to the guidance, if the laptop is powered on and in use by an authenticated user, who then performs an action (clicks on a link to a malicious website, opens an attachment from a phishing email, etc.) that infects the laptop with ransomware, there could be a breach of PHI. “If full disk encryption is the only encryption solution in use to protect the PHI and if the ransomware accesses the file containing the PHI, the file containing the PHI will be transparently decrypted by the full disk encryption solution and access permitted with the same access levels granted to the user,” the HHS guidance stated.
“Because the file containing the PHI was decrypted and thus ‘unsecured PHI’ at the point in time that the ransomware accessed the file, an impermissible disclosure of PHI was made and a breach is presumed. Under the HIPAA Breach Notification Rule, notification in accordance with 45 CFR 164.404 is required unless the entity can demonstrate a low probability of compromise of the PHI based on the four factor risk assessment,” the HHS guidance also stated.