Ransomware – What is it? What has it got to do with HIPAA?

ransomware hipaa healthcare

The Office for Civil Rights (OCR) guidance: “FACT SHEET: Ransomware and HIPAA”[1] defines ransomware as:

“Ransomware is a type of malware (malicious software) distinct from other malware; its defining characteristic is that it attempts to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker who deployed the malware, the ransom to the hacker (usually in a cryptocurrency, such as Bitcoin) in order to receive a decryption key.

However, hackers may deploy ransomware that also destroys or exfiltrates[2] data, or ransomware in conjunction with other malware that does so.”

To unpack the dense language above – it is a bad actor, a hacker, who puts his or her electronic hand into your network or data center and locks up your organization’s data until you pay them a ransom in some form of money.

In other words, ransomware makes your organization’s data unusable by you. This might:

  • Disrupt your ability to provide health services;
  • Cause significant financial losses;
  • Damage sensitive data beyond recovery or repair;
  • Expose your organization’s data to a breach; and
  • Damage your organization’s reputation.

All bad things! All costs of one type or another!

There are common sense suggestions made by the Secretary of Health and Human Services (HHS) in a June 20, 2016 letter to her HHS colleagues. The letter tells them to notify the FBI immediately if there is a ransomware attack. It makes good sense for all organizations to notify the FBI if any agency is victimized by a ransomware attack.

There is some good news regarding ransomware. Usually, a ransomware attack does not steal any of an organization’s PHI; however, you need to understand how to protect your organization from a ransomware attack.

So how does your organization protect itself against ransomware? A number of writers and reporters are talking first about cyber hygiene and best practices. This means that prevention is the first thing your organization should be considering. Some of these best practices are part of the HIPAA Security Rule requirements and others could be called evidence of compliance. They include the following:

  • Backups[3];
  • Risk Analysis[4];
  • Staff Training[5];
  • Vulnerability Patching[6];
  • Application Whitelisting [and blacklisting][7];
  • Incident Response[8];
  • Business Continuity[9]; and
  • Penetration Testing[10].

After the fact of a ransomware attack has been established the first thing your organization should do is call the local FBI office and your police department. Additionally, the OCR Fact Sheet offers the following internal processes to follow if your organization is attacked:

  • “Detect and conduct an initial analysis of the ransomware;
  • Contain the impact and propagation of the ransomware;
  • Eradicate the instances of ransomware and mitigate or remediate vulnerabilities that permitted the ransomware attack and propagation;
  • Recover from the ransomware attack by restoring data lost during the attack and returning to “business as usual” operations; and
  • Conduct post-incident activities, which could include a deeper analysis of the evidence to determine if the entity has any regulatory, contractual or other obligations as a result of the incident (such as providing notification of a breach of protected health information), and incorporating any lessons learned into the overall security management process of the entity to improve incident response effectiveness for future security incidents.”[11]

The OCR Fact Sheet also reminds us that a ransomware attack on your organization might rise to the level of a breach. If your organization’s protected health information (PHI) was encrypted it might not be a breach, but OCR is careful to tell us that this will be “a fact specific determination.”[12] In other words, if your organization’s PHI is encrypted consistent with the federal guidance to render unsecured PHI unusable, unreadable or indecipherable to someone who should not have access to it then it is not unsecured PHI, and a breach notification to OCR would not be necessary.

There is another federal document that you can download and use for knowledge and training named “How to Protect Your Networks from RANSOMWARE.” [13] It was released in June 2016 by 14 federal agencies including the Department of Health and Human Services that have and use PHI or protected individual information (PII). On the last page it lists even more federal resources including how to report to the FBI.

In Conclusion: A ransomware attack is very scary, but if your organization encrypts PHI at rest as well when it is being transmitted there may not be a breach that needs to be reported to OCR.

On the other hand, your organization will need to find a way to unlock or restore the PHI so that your organization can work and carry on the routine tasks that it carries out either as a covered entity or a business associate.

[1] https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf

[2] Exfiltration is the unauthorized transfer of information from an information system.

[3] 45 CFR 164.310(d)(1)(iv)

[4] 45 CFR 164.308(a)(1)(i)

[5] 45 CFR 164.308(a)(5)

[6] Evidence of HIPAA Security Compliance

[7] Evidence of HIPAA Security Compliance

[8] 45 CFR 164.308(a)(6)

[9] Evidence of HIPAA Security Compliance

[10] Evidence of HIPAA Security Compliance

[11] Page 3: https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf

[12] Page 7: https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf

[13] https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf