The U.S. Department of Health and Human Services on Monday issued new guidance that suggests strongly that ransomware infections that affect electronic patient health information (ePHI) are reportable violations under HIPAA. This will send waves through the healthcare industry and send compliance teams scrambling to figure out how to deal with this decision.
Ransomware is a type of computer infection that once installed will discover your files and encrypt them, making them unusable to the user. The computer will display a warning message that they have been infected and demand a payment to release the data. The infection holds your data for ransom. If you do not pay within a set timeframe the infection will delete the files or just never turn over the key to unlock it.
Ransomware has been plaguing the healthcare industry for years. Traditionally those that have fallen victim to a ransomware attack treated it like any other virus or malware infection. The teams clean the machine, completely wipe it and restore the encrypted data from a backup or archive. The Department of Health and Human Services now state that ransomware infections that encrypt files that contain Protected Health Information (PHI) is now a reportable event. The reasoning behind it does make sense. A rasomware infection is a 3rd party agent, out of control of the data owner, and that infection manipulates the PHI data. Without extensive, and expensive, forensic investigations there is no confidence that the PHI remain within the company and not transmitted externally.
Here’s an excerpt from the decision that can be found here –
Is it a HIPAA breach if ransomware infects a covered entity’s or business associate’s computer system?
Whether or not the presence of ransomware would be a breach under the HIPAA Rules is a fact-specific determination. A breach under the HIPAA Rules is defined as, “…the acquisition, access, use, or disclosure of PHI in a manner not permitted under the [HIPAA Privacy Rule] which compromises the security or privacy of the PHI.” See 45 C.F.R. 164.402.6
When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized 6 See also Section 13402 of the Health Information Technology for Economic and Clinical Health (HITECH) Act. 5 individuals have taken possession or control of the information), and thus is a “disclosure” not permitted under the HIPAA Privacy Rule.
Covered entities under HIPAA need to be aware of this ruling and prepare to respond to it. The probably of a healthcare organization getting impacted by a ransomware infection is extremely high, it’s not a question of IF but WHEN. All it takes is one bad click, a drive by through an unpatched Flash plugin, careless employees. If one record of PHI existed on the laptop you now need to report it as a security event under HIPAA.
What worse is most organizations have one or several large shared drives for backups and collaborations. Ransomware infections don’t stick to the computer it runs on. They are designed to look for mapped drives, shared folders and encrypt every file it can find. If the victim’s user account has access to everything, the infection does too. Before the organization could restore those drives from backup. Now if that drive gets hit and there are millions of PHI records sitting on old spreadsheets, database backups, PDF reports, all those now must be reported as accessed. All those patients must be notified. Your company will be added to the long list of breached companies.
If the Information Security department didn’t have enough motivation to have a robust risk management process, tight access controls, monitoring, strong perimeters, automation and awareness they should now. It’s safe to assume that virus infections, malware and ransomware incidents were never priority of the Security Departments rather more of an IT/Desktop management issue. No longer. This will bring Information Security and Compliance closer to the end users and individual behaviors now as most ransomware is brought in by user’s activities.
End of line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.