HSS Issues New Guidance on Ransomware Attacks Against HIPAA-Covered Entities
Ransomware attacks at hospitals and other healthcare facilities have dramatically increased over the last several years, putting healthcare providers in the uncomfortable position of having to consider paying thousands of dollars to regain access to vital medical records. Indeed, one recent study concluded that hospitals are hit with 88% of all ransomware attacks nationwide.
As the name suggests, ransomware attacks occur when a cyber-attacker places some form of malicious software inside a victim’s computer systems that encrypts the victim’s data and prohibits the victim from accessing it, and then demands ransom to “unlock” the data. Hospitals are particularly vulnerable to ransomware attacks because their electronic medical records are crucial to providing patient care.
As with any form of data breach, ransomware attacks pose several challenges for victims, including what—if any—obligation the victim entity has to notify law enforcement, regulators, its customers, and its employees of an attack. But for hospitals and other healthcare providers whose electronic medical records are subject to the protections of HIPAA Privacy Regulations, a ransomware attacks raises several additional concerns relating to the attack victim’s obligations to keep patient medical records confidential.
Recognizing the ever-increasing threat and unique challenges that ransomware attacks pose to HIPAA-covered entities, the United State Department of Health and Human Services (“HHS”) recently released a new guidance document to help HIPAA-covered entities “better understand and respond to the threat of ransomware.”
The new guidance confirms that whether any ransomware attack on a HIPAA-covered entity is also a HIPAA breach requiring compliance with HIPAA breach notification requirements is necessarily a fact-specific inquiry. But HHS has clarified that any ransomware attack involving electronic personal health information (“ePHI”) is presumptively a HIPAA breach and breach notification is required, unless the HIPAA-covered entity that is the victim of the attack can demonstrate to regulators that there is a “low probability that [ePHI] has been compromised.”
In order to establish that there is a “low probability,” the new HHS guidance points to four factors that must be considered: “(1) the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; (2) the unauthorized person who used the PHI or to whom the disclosure was made; (3) whether the PHI was actually acquired or viewed; and (4) the extent to which the risk to the PHI has been mitigated.” The new guidance also encourages affected entities to consider additional factors such as whether “there is high risk of unavailability of the data, or high risk to the integrity of the data.”
The new HHS guidance recognizes that a ransomware attack targeting already-encrypted ePHI may not constitute a HIPAA breach, because the cyber-attacker would not be able to access that data in human-readable form. Even so, HHS notes that encryption technologies may nevertheless be insufficient to thwart a ransomware attack if the ransomware is inadvertently accessed by the user of an encrypted computer that it powered on and logged in.
Unless the HIPAA-covered entity that is the victim of a ransomware attack can demonstrate the factors listed above are satisfied, it is required to comply with existing HIPAA breach notification requirements, including promptly notifying affected individuals, the secretary of HHS, and the media (in cases where over 500 individuals’ records have been compromised).
What the guidance does not address, however, is the answer that may be most important to a HIPAA-covered entity that is subject to a ransomware attack: whether to pay the ransom demanded by the cyber-attacker.
This question has been previously addressed by various other federal agencies, who generally suggest not paying extortionists, and instead turning the matter over to law enforcement. But for hospitals and other HIPAA-covered entities that depend on ready access to electronic medical records to provide the best possible care, any delay in recovering access to patient data that is being held for ransom may literally be a matter of life-or-death.
As with other forms of cyber-attacks, the best way for HIPAA-covered entities to avoid facing the challenges of responding to a ransomware attack is to take all necessary steps to avoid an attack in the first place, and to have a robust cyber-attack response plan in place—which incorporates HIPAA notification requirements—in the event an attack does occur.