Health care entities and their business associates with access to electronic Protected Health Information (ePHI) are subject to the HIPAA Privacy & Security Rules. New guidance was just released regarding the requirements of the HIPAA Security Rule in the event of a ransomware attack. Additional information regarding the requirements of the HIPAA Privacy & Security Rules is available here in our earlier advisory entitled, Another HIPAA Compliance Deadline Approaches.
Ransomware has become a major threat to electronic records systems worldwide. The US government reported recently that there have been 4,000 daily ransomware attacks so far in 2016! This represents a 300% increase to the number of attacks that occurred in 2015. Hospitals and other healthcare organizations have become popular targets for ransomware attackers. Nearly one half of all U.S. hospitals reported at least one ransomware attack during the past year. The healthcare industry is especially vulnerable because ransomware attacks can block access to Electronic Medical Records (EMR) which can result in patient care services being disrupted. Hospitals and other healthcare providers are updating their Continuity of Operations Plans to address prolonged loss of the EMR and rapid implementation of back-up electronic or paper systems.
The rise in ransomware attacks in the healthcare industry has also led to many questions about HIPAA compliance before, during and after an attack. The U.S. Department of Health and Human Services Office of Civil Rights (OCR) issued guidance on July 11, 2016, to address some of these questions. OCR is responsible for HIPAA enforcement and responding to complaints alleging HIPAA violations. The way in which OCR views the interaction of HIPAA and ransomware is relevant for every healthcare organization and every HIPAA business associate. Here are some key take-aways from the OCR guidance:
- A ransomware attack constitutes a “security incident” under the HIPAA Security Rule, and once the ransomware is detected, the covered entity or business associate must implement its security incident response and reporting procedures. The high incidence of ransomware attacks on healthcare providers means that every provider should be conducting exercises to test their security incident and response procedures using ransomware based scenarios.
- A ransomware attack will probably result in a reportable data breach as defined by HIPAA and HITECH (Health Information Technology for Economic and Clinical Health Act). The ransomware virus works by encrypting data within the EMR so that it cannot be accessed by users. The OCR guidance makes clear that when electronic Protected Health Information (ePHI) is encrypted as a result of a ransomware attack, a data breach has occurred. This is because the act of encryption means the ePHI was “acquired” by the attacker which is an unauthorized disclosure of the ePHI under HIPAA. Unless the covered entity or business associate can prove that there is a “low probability that the ePHI has been compromised” under the Breach Notification Rule, then the breach must be reported.
- Congress is calling for HHS to declare that every ransomware event is automatically a reportable breach, but the guidance does not go that far. The covered entity or business associate that is the victim of a ransomware attack can attempt to demonstrate that there is a low probability that ePHI has been compromised as a result of the attack so that no breach notification is required. The burden of proof is squarely on the covered entity or business associate to prove this. The documentation supporting this determination must be rock-solid, since it could be challenged later. The guidance requires the covered entity or business associate to act in good faith in making this determination and to retain the documentation supporting its determination.
- Even if the ePHI is encrypted within the EMR, the guidance makes clear that a ransomware attack might still be a reportable breach. There must be a fact-specific investigation about how the ePHI was being used at the moment of the ransomware attack in order to determine whether a reportable breach has occurred.
The threat of ransomware is not going away. New viruses are being developed and deployed every single day. Every healthcare organization must assume that it will be attacked by ransomware in the near future and prepare accordingly. This means updating your security incident response plan, educating employees about the ransomware threat, conducting realistic exercises simulating a ransomware attack to identify gaps in your organization’s response, and addressing those gaps quickly.
For additional information, please contact Troutman Sanders Partner and Healthcare Practice Leader, Steve Gravely, at steve.gravely@troutmansanders.com and Troutman Sanders Partner, Erin Whaley, at erin.whaley@troutmansanders.com.