HHS Issues Guidance On Ransomware And HIPAA

Written by: Richard Sheinis, Esq. 

On Monday, July 11, HHS issued a “Fact Sheet” on ransomware and HIPAA. While we know that the frequency of ransomware attacks has gone through the roof, HHS brought us some sobering figures. Since early 2016 there have been 4,000 daily ransomware attacks reported in the U.S. This represents a 300% increase over the daily ransomware attacks reported in 2015.

The most pertinent information in the Fact Sheet is HHS’s guidance on whether it is a HIPAA breach when ransomware infects the computer system of a medical provider or a business associate. While this has been a subject of debate in the medical/legal HIPAA community for some time, it has been my opinion that “classic” ransomware, which only encrypts electronic Protected Health Information (“ePHI”) in the computer system, is not a HIPAA breach because it does not view, acquire or disclose the PHI. HHS disagrees and stated, “When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals had taken possession or control of the information), and thus is a “disclosure” not permitted under the HIPAA Privacy Rule.”

This “disclosure” is presumed to be a HIPAA breach, unless the covered entity or business associate can demonstrate through a risk analysis that there is a low probability that the ePHI has been compromised. Although I remain confident in my opinion that classic ransomware it is not a HIPAA breach, HHS’s opinion carries slightly more weight than mine. Therefore, we have to play by their rules.

Perhaps the most concerning aspect of HHS’ guidance is that a single ransomware infection can encrypt a medical provider’s entire EMR database.  This could potentially lead to the medical provider having to notify every patient in their database.  Even for a small provider, this could be several thousand patients!

It is my recommendation that any time a medical provider or business associate is infected with ransomware, they drill down to identify the ePHI affected by the ransomware, when it was affected, and how the ransomware was introduced into the computer system. This highlights the importance of ePHI being encrypted at rest, and when in motion, by those entities subject to HIPAA. Since encrypted ePHI is not considered “unsecured PHI”, a breach of already encrypted ePHI is likely not going to qualify as a HIPAA breach. HHS’s guidance also underscores the importance of having adequate access monitoring and logging tools, among other features, so you or your IT security specialist can perform a meaningful forensic analysis of the computer system.  This is also necessary to detect the newer strains of ransomware that do access or exfiltrate ePHI from the computer system before encrypting it.

You can find the complete HHS Fact Sheet here: http://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf.  Feel free to contact me if you have any questions or need additional information.