Cyber crime has been increasing recently in the form of ransomware attacks, and hospitals, among others, have been targeted. Ransomware is a type of malware or intrusive software injected into a computer or network systems that permits a hacker to encrypt data and hold it hostage until a ransom is paid. According to one government report, in early 2016 there has been an average of 4,000 daily ransomware attacks, a 300% increase from the 1,000 daily ransomware attacks in 2015. In addition, earlier this year the FBI stated that ransomware attacks are “a prevalent, increasing threat.”
In response, on July 11, 2016 the U.S. Department of Health & Human Services (HHS), Office for Civil Rights (OCR) released guidance, Your Money or Your PHI: New Guidance on Ransomware, for covered entities regarding such attacks. The guidance states that a covered entity’s compliance with requirements under the HIPAA Security Rule can help as a preventive measure against ransomware attacks, and also help covered entities recover from such attacks more quickly and effectively. OCR says covered entities can help prevent these attacks by implementing HIPAA Security Rule requirements such as a security management process (including a risk analysis), procedures to guard against and detect malicious software, and by training users so they can assist in detection of malicious software and know how to report within the organization. With respect to recovering from a ransomware attack, OCR references HIPAA Security Rule requirements such as having a data backup plan and an overall contingency plan in place to address disaster recovery and emergency operations, and periodic testing of such plans to ensure the organization is ready to implement them as needed. Such plans should allow the entity to continue operations while responding to a ransomware attack. OCR also emphasizes the importance of having security incident procedures in place to effectively manage the process of responding to a ransomware attack.
Notably, OCR also addresses whether or not a ransomware attack should be considered a breach, which triggers reporting requirements to affected individuals, the Secretary of HHS, and, for breaches affecting over 500 individuals, the media. In OCR’s blog, which summarizes the guidance, it states that when electronic protected health information (“PHI”) is encrypted as a result of a ransomware attack, “usually” a breach has occurred, although it also notes that a covered entity can rebut this presumption if it demonstrates a low probability that the PHI has been compromised. The covered entity would need to do so by engaging in a risk assessment, considering at least the following four factors: (1) the nature and extent of PHI involved; (2) the unauthorized person who used the PHI or to whom disclosure was made; (3) whether the PHI was actually acquired or viewed; and (4) the extent to which the risk has been mitigated.
The OCR guidance itself provides more detail, and seems to acknowledge that in some cases a covered entity could determine that a ransomware attack does not constitute a breach. OCR identifies a number of factors that could assist a covered entity with the risk assessment process, including the type of malware involved, the algorithmic steps undertaken by the malware, exfiltration attempts, and whether the malware propagated to other systems. OCR states that “[u]nderstanding what a particular strain of malware is programmed to do can help determine how or if a particular malware variant may laterally propagate throughout an entity’s enterprise, what types of data the malware is searching for, whether or not the malware may attempt to exfiltrate data, or whether or not the malware deposits hidden malicious software or exploits vulnerabilities to provide further unauthorized access . . . .”
Notably, with respect to the fourth factor that covered entities must consider – the extent to which the risk is mitigated – OCR states that a covered entity should consider the impact of the ransomware on the integrity of the PHI, such as whether the covered entity is able to restore the PHI through implementation of disaster recovery and data backup plans.
Based on OCR’s more detailed guidance, the assertion in OCR’s blog that a breach will “usually” occur as a result of a ransomware attack seems aggressive. For example, if the ransomware attack did not steal data, but rather did nothing more than lock individuals or companies out of computer files with a demand for ransom payment, and the covered entity is able to restore the data, a covered entity might be able to conclude that there is a low probability that the PHI has been compromised.
This analysis highlights the difficulty arising from HHS’ shift in approach to breach analysis in 2013, as part of the HIPAA Omnibus Final Rule. Prior to that rule, the question in a breach analysis was whether there was a risk of financial, reputational, or other harm to the individual. Under the revised rule, the question is whether the data has been “compromised.” The stated goal was to shift to a more objective standard, with a focus on harm to the data, as opposed to harm to the individual. But the factors that a covered entity is required to consider in its risk analysis seem still to point to the risk of potential harm to the patient, and in the end it seems pointless at best to notify a patient of a data breach if there is no risk to the patient. To put the question squarely, if data is effectively destroyed, but there is no risk of harm to the patient, has the data been “compromised” for breach reporting purposes?
Separately, on February 18, 2016, SB 1137 was introduced in the California legislature and is currently making its way through the legislative process. SB 1137 would revise California’s penal code to make it a felony to knowingly use ransomware to hold data hostage. Interestingly, earlier this month the website of the bill’s author was itself subject to a ransomware attack.
Proponents of the legislation state that the law would send a message to perpetrators that California takes ransomware attacks very seriously, and would place law enforcement in a better position to take action against such perpetrators. However, the effectiveness of the bill (if passed) in curbing such attacks is questionable, since such attacks are hard to trace and often originate from overseas.
The increasing prevalence of ransomware attacks is not surprising, as part of the new reality that health care providers have to face, regarding the routine onslaught of attempts by hackers to access computer systems. In addition, it remains to be seen whether legislative attempts to address the issue could curb this growing trend. Providers would be well served to engage in proactive measures to maintain or establish security safeguards in compliance with the HIPAA Security Rule, including development and periodic testing of contingency plans, to ensure organizational readiness if a ransomeware attack occurs.
Hooper, Lundy & Bookman assists clients with a range of HIPAA compliance activities, including compliance counseling, policies and procedures, workforce training and managing data breaches.