HHS: Ransomware Infections are (Probably) Reportable Under HIPAA
New guidance from the Office of Health and Human Services says that ransomware infections affecting health information are breaches that must be reported under HIPAA.
With the epidemic of ransomware outbreaks in the healthcare sector, there has been a lot of public and private debate about whether a ransomware infection is a reportable incident under the federal HIPAA patient privacy regulations. After all, ransomware is just another form of malware. And, while some families of ransomware are single-purpose creations, the ransom functionality (encrypting files on the local hard drive, etc.) is increasingly just a check box option others – including keylogging and data exfiltration – in multi-function malicious software.
As we wrote last week, the Department of Health and Human Services has been formulating guidance for healthcare organizations that are HIPAA “covered entities” on how to deal with ransomware, including infections and outbreaks. This week, HHS issued that guidance, and suggested strongly that ransomware infections that affect electronic patient health information (ePHI) are reportable under HIPAA.
“When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired,” HHS said in its guidance. Looked at simply: “individuals have taken possession or control of the information,” HHS wrote. That constitutes a 'disclosure' not permitted under the HIPAA Privacy Rule.”
There is a bit of wiggle room. For example, covered entities that can demonstrate that there’s a “low probability that the PHI has been compromised,” based on the factors set forth in the Breach Notification Rule, wouldn’t have to follow through with a breach notification. Failing that, however, organizations that have had ransomware touch ePHI must assume a breach has occurred and comply with the applicable breach notification provisions, including notification to affected individuals without unreasonable delay, notification of the Secretary of HHS and the media, assuming the breach affects more than 500 individuals.
What constitutes a “low probability?” HHS lays out a four part risk assessment to answer that question. Healthcare organizations have to ask themselves what the nature and extent of the PHI involved in the incident and whether there is a likelihood of ‘re-identification’ from affected data. Covered entities that have experienced a ransomware attack also must consider who was the unauthorized person who used the PHI or to whom the disclosure was made (chances are: shadowy cyber criminals would raise the bar for ‘low probability’). Finally, covered entities are asked to consider whether the PHI was actually acquired or viewed and the extent to which the risk to the PHI has been mitigated.
As I wrote last week, HHS has been weighing how to respond to the ransomware epidemic within healthcare. So far, organizations affected by ransomware have emphasized that ‘no patient health data was compromised,’ even when it was clear that patient data had been swept up in the infection: being encrypted by the malware, or residing on systems that had been locked by the ransomware. Data that is encrypted and left at rest, the thinking went, wasn’t leaked and, therefore, no breach took place.
The new guidance from HHS draws a clearer line. Healthcare organizations are asked to do in-depth incident response and use the data collected in that process to help answer questions about whether covered patient data may have been misused. Among the factors to consider: the exact type and variant of malware discovered, the “algorithmic steps undertaken by the malware,” and communications made by the malware including “exfiltration attempts” between malware and the command and control servers that stand behind most malware. Organizations should consider whether the malware propagated to other systems, potentially affecting additional sources of electronic PHI (ePHI).
“Correctly identifying the malware involved can assist an entity to determine what algorithmic steps the malware is programmed to perform. Understanding what a particular strain of malware is programmed to do can help determine how or if a particular malware variant may laterally propagate throughout an entity’s enterprise, what types of data the malware is searching for, whether or not the malware may attempt to exfiltrate data, or whether or not the malware deposits hidden malicious software or exploits vulnerabilities to provide future unauthorized access, among other factors,” HHS advises.
What is unclear now is whether the HHS guidance will be retroactive – and whether organizations that experienced ransomware infections in recent months and years might now be compelled to report such incidents as breaches.
Stay tuned for more….