Ransomware and HIPAA Compliance

Ransomware attacks continue to escalate worldwide. In fact, an estimated 4,000 ransomware attacks occurred daily in 2016...and that was before WannaCry and Petya!

Healthcare providers and payees are not immune to this type of security incident. Consider the highly publicized incident that took Hollywood Presbyterian Medical Center offline for over a week. Or the most recent ransomware attack on the Women’s Health Care Group of PA that impacted more than 300,000 patients.

These types of incidents are painful to deal with because they impact IT availability and can be expensive to fix. Yet organizations often make the argument that because ransomware encrypts data and doesn’t exfiltrate data (including ePHI), then HIPAA data breach notification requirements are not applicable, right? Think again!

The U.S. Department of Health and Human Service (HHS) issued a Fact Sheet that addresses ransomware and HIPAA. A couple key points from this guidance include:

• Ransomware impacting ePHI is considered a security breach under the HIPAA Security Rule. A breach under the HIPAA rules is defined as the acquisition, access, use, or disclosure of PHI in a manner not permitted under the privacy rule, which compromises the security or privacy of the PHI. According to HHS’s Office for Civil Rights (OCR), when electronic PHI is encrypted in a ransomware attack, a breach has occurred because the encryption constitutes acquisition of the PHI by an unauthorized individual and, thus, is a disclosure not permitted by the privacy rule.
• Breach notification is required unless a covered entity or business associate can demonstrate that this is a low probability that PHI has been compromised. Section 7 of the fact sheet outlines the factors that may demonstrate a “low probability.” The important takeaway is that organizations should include ransomware within its incident response planning and training process. Tabletop exercises to walk through response procedures are an excellent way to prepare.

In addition to the HIPAA implications of a breach, organizations should look at ways to prevent ransomware incidents from occurring, and know what to do if an incident happens to mitigate the damage. Refer to Wipfi’s article on ransomware for prevention measures and response tips.