According to a recent U.S Government report, ransomware attacks have been rapidly increasing since early 2016. The reality is staggering. An estimated 4,000 ransomware attacks take place every day. So what is ransomware? It's a type of computer virus or malware that attempts to deny access to a user’s information by encrypting their data.
Healthcare and dental facilities are often targeted because of their perceived ability to pay a ransom and the reliance on maintaining the confidentiality and availability of patient electronic protected health information (ePHI) under HIPAA. So in essence, HIPAA makes you a potential target, but it also serves to protect you since it requires the implementation of technical, administrative and physical safeguards.
First off, let's address if ransomware is actually considered a breach under the HIPAA Rules. A breach is defined as, "The acquisition, access, use or disclosure of PHI in a manner not permitted under the HIPAA Privacy Rules that compromises the security or privacy of the PHI." - 45 C.F.R. 164.402
According to HHS, when ePHI is encrypted as a result of a ransomware attack, a breach has occurred because the information was acquired by an unauthorized individual(s) and that's considered an unauthorized disclosure under the HIPAA Privacy Rule.
For clarification, if you discover malware or ransomware during an anti-virus check and it's quarantined or removed before it executes it's only a security incident at that point. A deeper analysis would have to be performed to determine if it resulted in an impermissible disclosure.
What if the information that was accessed and encrypted by ransomware was was already encrypted as a safeguard to comply with HIPAA? The HIPAA Breach Notification Rules only apply to "unsecured PHI". If the ePHI is encrypted in the appropriate manner, then the covered entity is not required to conduct a risk assessment and breach notification is not required.
How does complying with HIPAA help prevent infections of ransomware? The HIPAA Security Rule requires implementation of safeguards that help prevent or identify malware, including ransomware. Some of these requirements include:
- Conducting a risk analysis to identify threats and vulnerabilities to ePHI
- Implementing security measures to mitigate or remediate identified risks
- Training users how to avoid, identify and report potential security issues
- Implementing access controls to limit access to authorized individuals
The HIPAA Security Rule also requires covered entities to implement policies and procedures that can assist in responding to and recovering from a ransomware attack. One important component of an organization's restoration capability is it's ability to recover data from a backup. Backup often and periodically test any backups to verify the integrity of the data. It's always a good idea to have offsite backup like a mirrored server, but some ransomware has been designed to damage these online backups. Consider creating a secondary backup that's independent from the network. A physical copy like an external hard drive or flash drive will work, but they need to be encrypted or secured to avoid another potential risk. Consider keeping physical copies on site in a burn rated fire-proof safe.
Most importantly, don't take a chance with outdated or no policies at all. Too often people have updated forms, but no policies at all. Any complaint, breach or security incident could lead to an audit. We're talking to people on a regular basis that have been infected by ransomware and are concerned and rightfully so. One organization we spoke with paid $10,000 for de-encryption keys after being locked out of patient data for almost a week. HIPAA audits often include requests for years of policies and procedures, employee training, risk assessments and financial records.
Compliance doesn't have to be complicated or expensive. Our HIPAA manuals include policies that cover all the required and addressable components. We include employee training, forms, posters and toll-free phone support all at one low price.
The full bulletin can be found directly from HHS here. Don't hesitate to call us if you have any questions at 1-800-522-9308