Many HIPAA covered entities believe that guidance for dealing with ransomware attacks should be issued by the Department of Health and Human Services’ Office for Civil Rights (OCR). There has been some confusion over whether a ransomware attack actually constitutes a data breach.
HIPAA covered entities are required to report breaches of protected health information to the OCR within 60 days of the discovery of a breach. They must also inform patients when their PHI has been exposed, compromised, or stolen.
However, how does that apply to a ransomware attack? When a network is compromised and patient health information is encrypted by ransomware, does that constitute a breach? Is such an incident reportable to the OCR? Healthcare providers that have experienced a ransomware infection have not reported the security incident to the OCR, although many have chosen issue press releases to the media about ransomware infections.
According to a recent article by the Bloomberg Bureau of National Affairs, the OCR is now preparing new guidance for dealing with ransomware attacks. The OCR will clarify when these attacks constitute a data breach and whether the HIPAA Breach Notification Rule requires covered entities to report ransomware attacks as HIPAA data breaches.
There has been much confusion over the matter. Cybersecurity experts disagree about whether a ransomware infection constitutes a data breach.
If a healthcare provider loses a laptop computer containing patient data, that constitutes a breach. If a laptop is stolen and the data are protected by a password, that is also reportable as a data breach. Some experts say that a ransomware infection could also constitute a data breach. When a criminal attack on a healthcare provider occurs and patient data is encrypted, the attacker – in theory at least – has access to those data.
Others disagree and say that a ransomware infection does not constitute a breach as access to the data is not obtained by the attackers. Ransomware blindly encrypts data. Attackers may have prevented access to data and may threaten to delete the decryption keys, but they do not steal data and neither do they view patient information.
The guidance for dealing with ransomware attacks will be welcomed to clear up this confusion. Covered entities should not only be advised on HIPAA regulations and how these apply to ransomware infections, but also given advice on preventing ransomware attacks and the actions that should be taken if an attack takes place.