HHS issues new guidance on ransomware attacks

HHS’ Office of Civil Rights (OCR) has released its much-anticipated guidance on how healthcare organizations can better understand and respond to ransomware attacks, including defining such incidents as breaches that require affected individuals to be notified under HIPAA in most circumstances.

The guidance comes as ransomware attacks on companies become more common, with the FBI estimating more than $200 million was paid to retrieve data taken by hackers just in the first three months of 2016.

The eight-part fact sheet begins with OCR’s definition of ransomware.

“Ransomware is a type of malware (malicious software) distinct from other malware; its defining characteristic is that it attempts to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker who deployed the malware, until a ransom is paid,” the guidance reads. “After the user’s data is encrypted, the ransomware directs the user to pay the ransom to the hacker (usually in a cryptocurrency, such as Bitcoin) in order to receive a decryption key. However, hackers may deploy ransomware that also destroys or exfiltrates data, or ransomware in conjunction with other malware that does so.”

In one section, OCR clarifies that ransomware attacks constitute a breach under HIPAA, unless an organization can prove there’s a “low probability” that protected health information had been compromised.

“The entity must then comply with the applicable breach notification provisions, including notification to affected individuals without unreasonable delay, to the Secretary of HHS and to the media (for breaches affecting over 500 individuals) in accordance with HIPAA breach notification requirements,” the guidance reads.

An exception may be made in certain cases when the stolen information had been encrypted according to OCR standards. The guidance lists an example as a powered-off laptop, because the data could only be accessed by an authenticated user. If the data on that same laptop was powered on and then infected by ransomware through an authenticated user’s action, that would qualify as a breach, and notification would be required.

The rest of the guidance includes recommendations on preventing and dealing with attacks, such as:

  • Implementing security measures to guard against and detect malicious software.
  • Using HIPAA required security training to prepare workers to detect and respond to ransomware attacks.
  • Developing security plans to contain and eradicate instances of malicious software once an attack is discovered.

The recommendations mostly fall in line with what Reps. Ted Lieu, D-Calif, and Will Hurd, R-Texas, recommended in a June letter to OCR.

“If a ransomware attack denies a patient access to their medical record or medical services, the patient needs to know as quickly as possible. We should encourage information about the attack to be shared with both the government and Information Sharing and Analysis organizations in order to prevent the spread of the attack to other providers,” the congressmen wrote.