On Monday, July 11, 2016, the Office for Civil Rights (OCR) released a fact sheet with guidance for covered entities and business associates on HIPAA and ransomware. Released in response to the escalating prevalence of ransomware attacks (a type of computer attack in which a computer virus encrypts computer files and thus prevents users from accessing the files until a ransom is paid, previously discussed on this blog here and here), the guidance emphasizes how compliance with the HIPAA Security Rule (Subpart C of Part 164 of Title 45 of the Code of Federal Regulations, §§ 164.302 et seq.) can help covered entities and business associates prevent, detect, and recover from infections of malware, including ransomware.
Notably, the fact sheet puts forward OCR’s belief that the unwanted encryption of electronic protected health information (ePHI) as the result of a ransomware attack is presumptively a breach unless a risk assessment determines that there is a low probability that the attacker’s access to ePHI opened the door to an impermissible disclosure of that ePHI.
Before this guidance was released, many in the health care industry did not consider a ransomware attack as a breach because this type of attack often does not appear to involve the use or disclosure of ePHI to an unauthorized user. However, noting that a breach is defined as the impermissible “acquisition, access, use, or disclosure of PHI,” OCR states that a breach occurs when ePHI is encrypted as the result of a ransomware attack because “the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus [there] is a ‘disclosure’ not permitted under the HIPAA Privacy Rule.” Even if the covered entity or business associate utilizes some form of full disk encryption of their data, OCR believes that any ePHI may nevertheless be “unsecured” as to the ransomware attacker with access.
While OCR’s interpretation of what it means for ePHI to be “acquired” may be subject to debate, covered entities and business associates should strongly consider OCR’s position on this matter and conduct a risk assessment pursuant to HIPAA regulations to determine whether a ransomware attack on their systems would constitute a reportable breach. Even if there is a lower risk that the privacy of the affected data with ePHI was compromised, OCR states that the incident may still be reportable if there is a high risk the data was unavailable or the integrity of the data was compromised.
Arent Fox’s Health Care group and Cybersecurity & Data Protection group continuously monitor issues affecting cybersecurity in the health care industry and advise clients on steps they can take to protect themselves from potential threats as well as appropriately respond to an actual attack. If you have any questions or need assistance on the topic covered here, please contact Samuel Cohen, Alex Manning (the former Staff Director of the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies of the House Committee on Homeland Security), Douglas Grimm, or Stephanie Trunk in our Washington, DC office; Sarah Bruno or Jade Kelly in our San Francisco office; Thomas Jeffry or Lowell Brown in our Los Angeles office; or the Arent Fox professional who normally handles your matters.