Page 28 - Delaware Medical Journal - September 2016
P. 28
HEALTH & LAW
OCR Releases Guidance on Ransomware and HIPAA
Bruce D. Armon, JD; Karilynn Bayus, JD
SUMMARY
On July 11, 2016, the U.S. Department of
��������������������������������������
Civil Rights (OCR) issued guidance (the Guidance) for health care entities relating to ransomware and the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Guidance does not introduce new mandates for covered entities and business associates, but it does emphasize how rigorous adherence to the HIPAA Security Rule can help prevent and mitigate the effects of ransomware attacks.
As noted in the Guidance, ransomware “is a type of malicious software cyber actors use to deny access to systems or data. The malicious cyber actor holds systems or data hostage until the ransom is paid.” The Guidance notes that more than 4,000 ransomware attacks have occurred daily since January 1, 2016, a 300 percent increase in the number of attacks per day in 2015.
The Guidance was released following
����������������������������������������
involving hospitals in 2016. On June 20, 2016, HHS Secretary Sylvia M. Burwell �����������������������������������������
of health care organizations discussing
the threat of ransomware generally and enclosing information on ransomware prepared by the federal government. The ������������������������������������� ransomware variants targeting U.S. companies and individuals are CryptoWall, CTB-Locker, TeslaCrypt, MSIL/SAMAS and Locky.
The Guidance is in the form of a Fact Sheet. The OCR provides answers to �������������������������������������� ransomware, including:
• Can HIPAA compliance help covered entities
and business associates prevent infections
of malware, including ransomware? • Can HIPAA compliance help covered
entities and business associates recover from infections of malware, including ransomware?
• How can covered entities or business associates detect if their computer systems are infected with ransomware?
• What should covered entities or business associates do if their computer systems are infected with ransomware?
• Is it a HIPAA breach if ransomware infects a covered entity’s or business associate’s computer system?
• How can covered entities or business associates demonstrate “...that there is a low probability that the [protected health information (“PHI”)] has been compromised” such that breach notification would not be required?
• Is it a reportable breach if the [electronic PHI] encrypted by the ransomware was already encrypted to comply with HIPAA?
The Guidance states that adherence to the Security Rule mandates will assist health care entities in preventing and recovering from malware and ransomware infections. For instance, the Security Rule requires covered entities and business associates to implement a security management process including a risk analysis to identify threats and vulnerabilities to electronic PHI and requires implementation of procedures to guard against and detect malware. With respect to recovery from a ransomware attack, the Security Rule mandates the creation of a contingency plan, which
may need to be activated in the event of a ransomware attack.
Deciding whether a ransomware attack constitutes a HIPAA breach has generated ������������������������������������������
industry. According to the OCR, “When [electronic PHI] is encrypted as the result
of a ransomware attack, a breach has occurred because the [electronic PHI] encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a ‘disclosure’ not permitted under the HIPAA Privacy Rule.” In evaluating whether there is a “low probability” that
the PHI has been compromised as part of a risk assessment, OCR suggests that covered entities and business associates consider
the type and variant of malware; “the algorithmic steps undertaken by the malware; ��������������������������������������� attempts between the malware and attackers’ command and control servers;” and whether the malware may have affected other systems or other electronic PHI.
The Guidance is available at www.hhs.gov/
��������������������������������������������
Security Rule compliance is critical
as more health care information is
stored electronically in a host of media types. Malware continues to become more sophisticated and its effects more devastating. If covered entities or business associates have not recently reviewed or audited their Security Rule compliance or conducted a risk assessment, now is the time to do so.
CONTRIBUTING AUTHORS
■ BRUCE D. ARMON, JD is Chair of the Health Care Practice and Managing Partner of the Saul Ewing Law Firm in Philadelphia.
■ KARILYNN BAYUS, JD is an Associate with the Saul Ewing Law Firm in Philadelphia and represents and counsels health care entities and physicians in transactional, regulatory, and administrative matters.
284
Del Med J | September 2016 | Vol. 88 | No. 9
