Earlier this year, ransomware known as Wannacry crippled Britain’s National Health Service and spread across the globe affecting many other organizations, large and small. Now, many organizations are grappling with a new onslaught caused by similar ransomware dubbed Petya. Wannacry and Petya are among a spate of recent ransomware attacks affecting hospitals and other healthcare providers.
This trend is unlikely to end any time soon because health information is valuable and hackers are becoming increasingly sophisticated. Providers, therefore, need to know how to mitigate the risk of such attacks and, if unsuccessful, address the potential privacy breaches that are part and parcel of these incidents.
Last year, the US Department of Health and Human Services, Office for Civil Rights issued guidance regarding ransomware. This guidance, among other things, made it clear that OCR considers a ransomware attack resulting in the encryption of protected health information to be a HIPAA breach, unless the entity can show through a breach assessment that there is a low probability that the protected health information has been compromised.
Earlier this month, in what appears to be a response to Wannacry, OCR published a checklist and infographic that provides additional guidance to covered entities and business associates dealing with ransomware and other cyber-attacks. In sum, the checklist provides that in response to a cyber-related security incident:
- Respond: the entity must execute response and mitigation procedures and contingency plans;
- Report Crime: the entity should report the crime to law enforcement agencies;
- Report Threat: the entity should report all cyber threat indications to the appropriate federal and information-sharing and analysis organizations; and
- Assess Breach: the entity must report the breach to OCR as soon as possible, but at least within 60 days after the discovery of a breach affecting 500 or more individuals, and must notify affected individuals and the media.
These steps are part of the entity’s risk mitigation efforts, which OCR will consider during a breach investigation. Of course, the OCR checklist focuses only on what covered entities and business associates should do after becoming the target of a cyber-attack. Malicious hackers will do what they do best, so covered entities and business associates should be continually assessing actual and potential risks and implementing appropriate physical, technical and administrative safeguards to protect health information against those risks in accordance with the HIPAA Security Rule.
Arent Fox’s Health Care and Privacy, Cybersecurity & Data Protection groups monitor developments in HIPAA enforcement and compliance. If you have any questions about the topic covered here or other matters, please contact Jade Kelly or Sarah L. Bruno in our San Francisco office; Stephanie Trunk or Samuel Cohen in our Washington, D.C. office; Thomas Jeffry in our Los Angeles office; Jill Steinberg in our New York office; or the Arent Fox professional who normally handles your matters.