Update: Regulator says Ransomware Infections Likely Reportable Under HIPAA

Two U.S. Senators are requesting information about the government's experience with ransomware - asking whether Uncle Sam has paid ransoms to get data back.
The Department of Health and Human Services issued guidance that declared most ransomware infections to be reportable under the Federal HIPAA patient privacy law.

In-brief: The Department of Health and Human Services issued guidance that declared most ransomware infections to be reportable under the Federal HIPAA patient privacy law.

Ransomware infections have been plaguing the healthcare field for much of the last two years, as this blog and others have reported. But amidst all the reports of hospitals hamstrung by encrypted, clinical systems, there’s been precious little talk about whether such incidents are violations of patients’ privacy under the federal HIPAA legislation.

Now we have an answer: yes*.

The U.S. Department of Health and Human Services on Monday issued new guidance that suggests strongly that ransomware infections that affect electronic patient health information (ePHI) are reportable violations under HIPAA.

“When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired,” HHS said in its guidance. (PDF) The new guidance comes after a period of consideration and debate within policy circles about whether having patient records encrypted by ransomware should count as a “breach” of patient privacy. In theory, the thinking went, the files aren’t being accessed and viewed, simply scrambled and held for ransom.

[Read Security Ledger coverage of ransomware here.]

That thinking was evident in statements from breached organizations. When we wrote about ransomware infections at Chino Valley Medical Center and Desert Valley Hospital in California, for example, the hospitals’ parent organization, Prime Healthcare, sent us a statement noting that no ransom was paid and “no patient or employee data compromised.” In all likelihood, the hospitals simply restored affected hospital systems from a backup, removing the malware.

But is it really right to assume that, in the period that malware had access to the clinical systems and spread on the hospitals’ network that cyber criminals had no access to ePHI? That’s a stretch.

As the OnTheWire blog recently reported, U.S. Congressman Ted Lieu (D-CA) wrote a letter to HHS to urge regulators (PDF) to require disclosures of ransomware attacks that affect access to patient records, even in the absence of a data breach involving the viewing of patient health information.

In the guidance announced this week, HHS appears to agree with Lieu and others. Looked at simply, HHS wrote that in ransomware infections “individuals have taken possession or control of the information.” That constitutes a “‘disclosure’ not permitted under the HIPAA Privacy Rule.”

Writing on the Virta Labs blog, Virta CEO and University of Michigan researcher Kevin Fu, noted that the HHS guidelines get a lot right: ruling out an exemption for systems with Full Disk Encryption running (ransomware, by its very nature, operates when the machine is running and the operating system and file system are accessible).

Fu expected that the guidelines would be “bad news” for the majority of Health Delivery Organizations (HDOs) covered by HIPAA. “The OCR guidance means you just got clarity on whether ransomware results in a breach. Sorry, the answer is yes, unless you have methodical evidence to the contrary.”

Which brings us to that asterisk… There are exceptions when covered entities can demonstrate that there’s a “low probability that the PHI has been compromised.” But that requires breached organizations to do a thorough analysis of the malware in question, its capabilities, communications into and out of an affected environment and so on. Simply playing the PollyAnna and assuming that “all is well” won’t cut it any more.

Assuming they can’t clear the high “low probability” bar, organizations that have had ransomware touch ePHI must assume a breach has occurred and comply with the applicable breach notification provisions, including notification to affected individuals without unreasonable delay, notification of the Secretary of HHS and the media, assuming the breach affects more than 500 individuals.

Fu said that covered entities will need to add HIPAA compliance and breach notification to planning around ransomware outbreaks.

The new guidance is also likely to result in more resources toward prevention of malware and ransomware outbreaks by aligning ransomware prevention with regulatory compliance. Surveys of the healthcare sector have found that hospitals and other healthcare organizations often have a myopic view of risk that is focused on regulatory compliance – especially in regard to HIPAA. That has left many HDO’s ill prepared to defend their facilities, networks, employees and infrastructure against targeted attacks by online adversaries who wish to cause disruptions in service or even to target patients, according to a report by Independent Security Evaluators (ISE).