HHS: Most Ransomware Attacks Reportable BreachesBut Does New Guidance Go Far Enough in Describing Reporting Requirements?
Most ransomware attacks result in a breach of protected health information that must be reported under HIPAA, according to newly released federal ransomware guidance for healthcare entities and business associates.
The long-awaited guidance from the Department of Health and Human Services' Office for Civil Rights also provides tips on avoiding falling victim to extortionists as well as detecting and mitigating ransomware attacks.
While some security experts praise HHS for taking a firm stand on the reportability of ransomware-related breaches, others say the guidance still leaves too much ambiguity.
In announcing the guidance, HHS also issued a letter from HHS Secretary Sylvia Mathews Burwell urging healthcare entities to educate their senior leadership teams on the serious risks posed by ransomware, "where an attacker gains access to your system and encrypts your data and holds it hostage until payment is received."
Ransomware attacks have the potential to disrupt organizations' ability to provide healthcare services and other daily operations; inflict significant financial losses; damage sensitive data beyond recovery and repair; expose data to a breach; and "harm the hard-earned reputation of your business," she writes. "This is not just a matter for CIOs - this is a major threat to all aspects of your business."
In addressing whether ransomware attacks are generally considered reportable breaches under HIPAA, the guidance notes: "Whether or not the presence of ransomware would be a breach under the HIPAA rules is a fact-specific determination." Under HIPAA, a breach is defined as the acquisition, access, use or disclosure of PHI in a manner not permitted under the HIPAA Privacy Rule which compromises the security or privacy of the PHI, OCR notes in the guidance.
In a significant statement that aims to clarify reporting requirements, the guidance also points out: "When electronic PHI is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired by unauthorized individuals [who] have taken possession or control of the information, and thus is a 'disclosure' not permitted under the HIPAA Privacy Rule. Unless the covered entity or business associate can demonstrate that there is a low probability that the PHI has been compromised, based on the factors set forth in the [HIPAA] breach notification rule, a breach of PHI is presumed to have occurred." As a result, the entity must comply with the rule's notification provisions.
More Clarity Needed?
Privacy and security expert Kate Borten, founder of consulting firm, The Marblehead Group, says the new guidance "reinforces the HIPAA Breach Notification Rule, and avoids introducing any new twists or compromises specific to ransomware. HHS took an appropriately firm stand on ransomware. Ransomware provides access to data, even if the attacker's only motivation is to obtain ransom payment."
Some regulatory experts, however, fault the new guidance for a lack of clarity.
"The guidance is helpful in many respects, and frustratingly opaque in other respects," says privacy attorney Adam Greene of the law firm Davis Wright Tremaine. "For example, the guidance clarifies that a ransomware attack is inherently an impermissible 'disclosure' of PHI - although I think that this is a stretch of the term 'disclosure' - and provides helpful information about facts to consider when completing the breach risk assessment. What is frustrating is that we still don't have a definition of 'compromise' for purposes of the 'low-probability-of-compromise' test, and the guidance leaves uncertain whether a loss of availability of PHI, without an exfiltration of the data, is considered a 'compromise.'"
As a result, some organizations may consider a successful ransomware attack as a reportable breach even if the evidence indicates that no PHI was exfiltrated, while others will only treat it as a breach if the PHI is exfiltrated and received by attackers, Greene contends.
The guidance also addresses special circumstances involved in some ransomware attacks, including whether an attack is considered a breach when it involves ransomware that encrypts ePHI that was already encrypted.
"If the ePHI is encrypted by the entity in a manner consistent with [HIPAA guidelines] such that it is no longer 'unsecured PHI,' then the entity is not required to conduct a risk assessment to determine if there is a low probability of compromise, and breach notification is not required."
The guidance is helpful in providing a few examples of when a ransomware attack may or may not be reportable, depending on the ability of the covered entity or business associate to demonstrate that there is a low probability of compromise, says healthcare attorney Betsy Hodge of the law firm Akerman LLP.
"However, as OCR says in the guidance, determining whether a particular ransomware attack is a reportable breach is a fact-specific exercise," she says. "Unless OCR provides more examples of when a ransomware attack, or any inability to access data, is a reportable breach, covered entities and their business associates may continue to struggle to determine if a reportable breach has in fact occurred," she says.
"There are many covered entities and business associates who may not have the internal technical capability or the financial resources to bring in outside consultants and therefore, may not be able to perform the forensic work necessary to determine and document if, in fact, electronic PHI was compromised during the ransomware attack."
A Serious Threat
One of the most important messages of the guidance is the emphasis on ransomware as a serious threat, says privacy attorney David Holtzman, vice president of compliance at the security consulting firm CynergisTek.
"We need to look at ransomware attacks as being more than about reporting HIPAA breaches," he says.
"The value of the OCR guidance ... is its emphasis on explanation that ransomware is more than an issue impacting the confidentiality of patient health records. As the guidance makes clear, organizations are expected to have in place security measures to prevent infections from malware and ransomware because they can cause disruption to information systems and loss of access to patient information. It is the responsibility of covered entities and business associates to be prepared to recognize, respond and restore if they are attacked with malware or ransomware."
The OCR guidance also offers advice on preventing, detecting and mitigating ransomware infections. It includes insights on:
- How to prevent malware infections by, for example, mitigating vulnerabilities and training users;
- How compliance with HIPAA Security Rule provisions - such as backing up data - can help organizations recover from ransomware and other malware infections;
- How organizations can detect if their computer systems are infected with ransomware by looking for certain early indicators;
- What organizations should do if their computer systems are infected with ransomware, including taking measures to isolate the infected computer systems and contacting the FBI or U.S. Secret Service.
"The guidance's most important lesson is prevention and preparation - checking backups, practicing system restoration and keeping backups secure - such as maintaining offline copies to avoid corruption," Greene says.
Call to Action
The OCR guidance, which was issued July 11 and had been in the works for several months, comes about two weeks after a bipartisan duo of congressmen sent a letter to HHS urging for "timely issuance" of ransomware guidance (see Congressmen: Ransomware Requires New Guidance).
While the new OCR guidance addressed some of the issues mentioned by Ted Lieu, D-Calif. and Will Hurd, R-Texas, in their letter - such as the importance of breach notification - the guidance does not directly address some of the letter's other recommendations.
For example, the congressmen urged OCR to "aggressively require" reporting of ransomware attacks to appropriate healthcare-related information sharing and analysis organizations, but that's not mentioned in the guidance.
Changing Breach Trends?
Some high-profile ransomware attacks, including one in February on Hollywood Presbyterian Medical Center, have not yet shown up on HHS' "wall of shame" website of health data breaches impacting 500 or more individuals. But the guidance could help change that, Hodge says.
"Now that OCR has explicitly stated its presumption that a ransomware attack is a breach, unless a covered entity or business associate can demonstrate that there was a low probability of compromise, we should expect to see more ransomware attacks being reported to OCR," she says.
And if that happens, OCR should share details of the incidents reported, Hodge suggests. "As OCR gets more reports of ransomware attacks, it would be helpful if the agency could provide covered entities and business associates with more examples of situations where the facts indicate that a breach has occurred and those situations where an organization was able to demonstrate a low probability of compromise."