Skip to Main Content
Services Talent Knowledge
Site Search
Menu

Blog Post

June 05, 2017

Ransomware: What Is It and How Is It Treated Under HIPAA? [Part 1 of 2]

Sophisticated ransomware has emerged as a major global security threat. On May 12, 2017, there were over 75,000 ransomware attacks on 99 countries that impacted businesses, including several hospitals in the United Kingdom. In the wake of these attacks, health care providers in the United States are urged to understand ransomware and how it is addressed under HIPAA to prepare for security threats to their Protected Health Information.

How Does Ransomware Work? Ransomware is a type of malware that attempts to deny access to data, generally by encrypting data in a computer system. Hackers can infect a computer through several methods, including malicious website links and email attachments. The malware encrypts data and blocks users’ access to the system until they agree to pay a specified ransom. In the recent ransomware attack in UK hospitals, when employees attempted to access the encrypted files, they were prompted to pay $300 in “bitcoin”—a cryptocurrency—in order to access files.

How is Ransomware Viewed Under HIPAA? On July 11, 2016, the U.S. Department of Health and Human Services (“HHS”) issued guidance on ransomware stating that the HIPAA Security Rule requires implementation of security measures to prevent introduction of malware, including ransomware. Such measures include security management (risk analysis and implementation of security measures to mitigate or remediate identified risks), implementing procedures to guard against malware, training users on malware to assist in detecting malware, and implementing access controls to limit access to ePHI. The guidance also indicates that when ePHI is encrypted due to a ransomware attack, a breach has occurred requiring notification. Under HHS’ analysis, in a ransomware attack ePHI is “acquired” resulting in an unauthorized “disclosure” because an unauthorized individual takes possession or control of the information. A breach of PHI is presumed in a ransomware attack, unless the affected Covered Entity or Business Associate can show that there is low probability that PHI has been compromised via a risk assessment.

The HHS guidance raises questions regarding how to conduct an appropriate breach notification assessment in the event of a ransomware attack. Typically risk assessments will consider whether there is a low probability that PHI has been compromised by considering four factors: (1) the nature and extent of the PHI involved; (2) the unauthorized person who used the PHI or to whom the disclosure was made; (3) whether the PHI was actually acquired or viewed; and (4) the extent to which the risk to the PHI has been mitigated. The guidance, however, states that entities should also consider additional factors, including high risk of unavailability of data or high risk to the integrity of the data, suggesting that the traditional risk assessment framework may not be entirely suitable in the ransomware context. The guidance also suggests that merely the unavailability of data resulting in a delay of services could be grounds for considering PHI “compromised” under the risk assessment framework, triggering breach notification requirements.

Subscribe

Click here to sign up for alerts, blog posts, and firm news.

Subscribe

Sign up to receive our latest news

Practice Areas

Featured Industries

New & Emerging Industry Practice Areas

Other

Featured Media

Alerts

Start Delayed for Required Massachusetts Paid Family and Medical Leave Contributions

Alerts

NY Court of Appeals Expands Optional Safety Equipment Defense for Design Defect Claims

Alerts

EEO-1 Component 2 Data Update

This site uses cookies to give you the best experience possible on our site and in some cases direct advertisements to you based upon your use of our site.

By clicking [I agree], you are agreeing to our use of cookies. For information on what cookies we use and how to manage our use of cookies, please visit our Privacy Statement.

I AgreeOpt-Out