Ransomware Considered a HIPAA Breach

OCR has recently made it clear that being attacked by ransomware is considered a breach under the HIPAA Security rule. Your response, however, may be based on your investigation.

Ransomware is a form of malware that is most commonly seen in the form of a cryptolocker variant.  When one of these variants infects a computer, it encrypts all the user’s important documents, deletes the original documents, and notifies the user that they must pay to receive the key that unlocks their data.

By its very nature, this is a breach. How? An unauthorized entity has accessed the user’s computer and – at the minimum – encrypted their data (potentially ePHI).  This incident has definitely compromised the availability and integrity of the data, and potentially the confidentiality of that data.  At face value, this means that you must now follow all breach notification processes (Breach Notification Rule) and conduct incident response procedures to assess the risk of the breach.

HOWEVER… If the covered entity can show that there was a low probability that the ePHI has been compromised, they can then consider the incident no longer a breach under HIPAA (though it still is a breach in strict security terms).

So how do we get out of HIPAA breach territory?  You must conduct a risk assessment for the breach that covers at least the following:

  • The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification
  • The unauthorized person who used the protected health information or to whom the disclosure was made
  • Whether the protected health information was actually acquired or viewed
  • The extent to which the risk to the protected health information has been mitigated.

If, after conducting this formal risk analysis of the incident, you determine that there is a low probability that the privacy of the data has been compromised and that data has been restored in timeframe and manner that does not compromise patient care, the event can be considered to be NOT a breach and not subject to the reporting requirements.

Assessing the risk involved in an incident is an area of security called “incident response.”  Incident responders work to discover the scope of the incident, what data was accessed, how, and by who.  This means analyzing the malware for its particular characteristics and operations.  Further, responders will usually perform cleanup activities to clean the infections and help restore normal operations.

As always, the best defense against ransomware attacks lies in “security hygiene” activities such as software updates, active and updated anti-malware services, endpoint security configurations, and user education.

GoldSky is poised to help your practice achieve security and help prevent malware before it strikes. But when it does (and it inevitably will), GoldSky will be there to help clean up!