OCR Releases Ransomware Guidance for HIPAA Covered Entities

The Department of Health and Human Services’ Office for Civil Rights (OCR) has released new guidance for covered entities to help them protect their organizations from ransomware attacks, and deal with attacks if they should occur. The new guidance also clarifies how HIPAA Rules apply to healthcare ransomware infections.

Earlier this year, Deputy Director for Health Information Privacy Deven McGraw announced that new guidance on ransomware would be released by the OCR to help HIPAA-covered entities deal with the increased threat from ransomware.

The announcement was made shortly after a number of healthcare organizations had experienced ransomware attacks. Those attacks seriously disrupted systems and prevented healthcare professionals from communicating electronically and accessing the health records of patients.

Healthcare industry professionals have also been awaiting guidance on how HIPAA applies to ransomware infections for some time. Ransomware acts differently to many malware variants and there has been some confusion about whether a ransomware infection constitutes a “breach” as defined in the HIPAA regulations.

Malware can allow hackers to steal patient health information. However, many ransomware variants blindly encrypt data but do not result in hackers actually gaining access to patient files. If ransomware does not involve data being accessed, viewed, or copied, it has been argued that this would not constitute a breach. A full breach response – notifications to patients, notification of the incident to the OCR, and media announcements – would therefore not be required.

In an interview with the Security Media Group earlier this year, McGraw indicated that ransomware infections did, in many cases, constitute a data breach. This has now been confirmed in the latest OCR guidance. In the majority of cases, if ransomware has been installed on a network or device used to store ePHI, it would constitute a breach. If patient data is encrypted by ransomware, access has been gained by an attacker and this would be classed as an impermissible disclosure under HIPAA Rules.

That means that if patient data are encrypted by ransomware, all affected patients would need to be notified of the breach. A breach report would need to be issued to the OCR, and a media announcement made if the “breach” affected more than 500 patient records.

A full breach response – as required by the HIPAA Breach Notification Rule – would not be required if the organization could determine that there was a “low probability” of ePHI being viewed or copied. If ePHI had been encrypted to an appropriate standard by the healthcare organization prior to a ransomware infection it would not constitute a breach of unsecured PHI.

The new guidance provides information on how HIPAA applies to ransomware infections, but also offers detailed information on the steps that covered entities are expected to take to secure their networks, devices, and most importantly, ePHI. Best practices are detailed in the document and guidance is also provided on how to deal with a ransomware attack should one occur.

A Ransomware and HIPAA fact sheet can be downloaded here

Guidance on ransomware is available on this link

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news