It seems we can’t have a conversation about data security these days without mentioning ransomware.  Public and private companies are reporting increasing numbers of ransomware attacks, and health care providers and business associates are no exception to this trend.

Ransomware – What is it?

At its most fundamental, ransomware is a type of malicious software that infiltrates a person or company’s computer system and encrypts certain data that is stored electronically.  Essentially, ransomware locks users out of accessing their data until a “ransom” is paid.  Ransomware may also be used in conjunction with other malware to gain access to IT systems in an effort to steal data housed within the IT system.

Although not expressly mentioned in the Security Rule, a covered entity or business associate’s HIPAA compliance program necessarily must include analyses relating to the potential for, and responses to, ransomware attacks. Risk management plans, risk analyses, and other security assessments should identify threats and vulnerabilities to electronic protected health information (PHI) and a company needs to implement procedures to guard against and detect malicious software, including ransomware.

At a minimum, because ransomware prevents users from accessing data, covered entities and business associates need to ensure their data is frequently backed up and must otherwise ensure data recoverability.  Entities should consider maintaining back-ups offline and unavailable from their networks.  Disaster recovery and emergency operation plans should all include contingencies in which the covered entity or business associate is denied access to their data.

Is a Ransomware Attack a HIPAA Breach?

A ransomware infiltration may or may not result in a HIPAA Breach, as “Breach” is defined under the HIPAA Regulations.  45 CFR 164.402 defines a “Breach” as the “acquisition, access, use, or disclosure of protected health information in a manner not permitted under [the Privacy Rule] which compromises the security or privacy of the protected health information.”

In the event of a ransomware attack, covered entities and business associates must follow the risk assessment protocols outlined in the Breach Notification Rule, including an assessment of:

  1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
  2. The unauthorized person who used the protected health information or to whom the disclosure was made;
  3. Whether the protected health information was actually acquired or viewed; and
  4. The extent to which the risk to the protected health information has been mitigated.

Unless the covered entity or business associate can demonstrate that there is a low probability that the protected health information has been compromised, then a Breach is presumed and the breach notification procedures should be followed.

Although each potential Breach needs to be evaluated based on its own facts and circumstances, OCR has identified certain factors that should be assessed when evaluating whether a ransomware infiltration has resulted in a Breach:

  1. The type of malware discovered;
  2. The algorithmic steps taken by the malware;
  3. Attempts to remove data from the IT system; and
  4. Whether or not the malware propagated to other systems.

Remember, as with all risk assessments, a covered entity or business associate must create and maintain supporting documentation sufficient to meet their burden of proof regarding the determination of whether or not a Breach has occurred.

As with many facets of HIPAA compliance, the protocols and procedures that are implemented prior to a ransomware infiltration, including data back-ups, training, and contingency planning, will dramatically affect the outcome of a ransomware attack.  As they say, an ounce of prevention is worth a pound of cure.