Skip to Main Content
Services Talent Knowledge
Site Search

Blog Post

June 5, 2017

Ransomware: What Is It and How Is It Treated Under HIPAA?

Sophisticated ransomware has emerged as a major global security threat. On May 12, 2017, there were over 75,000 ransomware attacks on 99 countries that impacted businesses, including several hospitals in the United Kingdom. In the wake of these attacks, health care providers in the United States are urged to understand ransomware and how it is addressed under HIPAA to prepare for security threats to their Protected Health Information.

How Does Ransomware Work? Ransomware is a type of malware that attempts to deny access to data, generally by encrypting data in a computer system. Hackers can infect a computer through several methods, including malicious website links and email attachments. The malware encrypts data and blocks users’ access to the system until they agree to pay a specified ransom. In the recent ransomware attack in UK hospitals, when employees attempted to access the encrypted files, they were prompted to pay $300 in “bitcoin”—a cryptocurrency—in order to access files.

How is Ransomware Viewed Under HIPAA? On July 11, 2016, the U.S. Department of Health and Human Services (“HHS”) issued guidance on ransomware stating that the HIPAA Security Rule requires implementation of security measures to prevent introduction of malware, including ransomware. Such measures include security management (risk analysis and implementation of security measures to mitigate or remediate identified risks), implementing procedures to guard against malware, training users on malware to assist in detecting malware, and implementing access controls to limit access to ePHI. The guidance also indicates that when ePHI is encrypted due to a ransomware attack, a breach has occurred requiring notification. Under HHS’ analysis, in a ransomware attack ePHI is “acquired” resulting in an unauthorized “disclosure” because an unauthorized individual takes possession or control of the information. A breach of PHI is presumed in a ransomware attack, unless the affected Covered Entity or Business Associate can show that there is low probability that PHI has been compromised via a risk assessment.

The HHS guidance raises questions regarding how to conduct an appropriate breach notification assessment in the event of a ransomware attack. Typically risk assessments will consider whether there is a low probability that PHI has been compromised by considering four factors: (1) the nature and extent of the PHI involved; (2) the unauthorized person who used the PHI or to whom the disclosure was made; (3) whether the PHI was actually acquired or viewed; and (4) the extent to which the risk to the PHI has been mitigated. The guidance, however, states that entities should also consider additional factors, including high risk of unavailability of data or high risk to the integrity of the data, suggesting that the traditional risk assessment framework may not be entirely suitable in the ransomware context. The guidance also suggests that merely the unavailability of data resulting in a delay of services could be grounds for considering PHI “compromised” under the risk assessment framework, triggering breach notification requirements.


Click here to sign up for alerts, blog posts, and firm news.


Sign up to receive our latest news via email

Practice Areas

Featured Industries

New & Emerging Industry Practice Areas


View our Privacy Policy

Featured Media


Is Telehealth Here to Stay?


COVID-19: Congress Passes Legislation to Extend PPP Application Deadline


NYS Court of Appeals Holds FERC Certificate of Public Convenience Exempts Pipeline Company From Eminent Domain Public Notice, Hearing Requirements Despite Water-Quality Certification Denial


COVID-19: Governor Cuomo Issues Executive Orders Imposing Quarantine Restrictions on Travelers Arriving in New York State, Blocking COVID-19 Paid Sick Leave to Employees Voluntarily Traveling to High-Risk Areas


Caddy Class Action Still in Play With New Retaliation Claim


COVID-19: The Perfect Storm – How Below-Cost Reimbursement Models for OPWDD Providers Will Make a Bad Situation Worse

This site uses cookies to give you the best experience possible on our site and in some cases direct advertisements to you based upon your use of our site.

By clicking [I agree], you are agreeing to our use of cookies. For information on what cookies we use and how to manage our use of cookies, please visit our Privacy Statement.

I AgreeOpt-Out