The federal government has issued new guidelines for dealing with ransomware attacks under the HIPAA law, but the document still leaves a lot of grey area that could lead to questions about what is or isn’t considered a breach.
The new guidance comes as ransomware attacks have grown from a nuisance to a looming menace for both consumers and enterprises. Whereas the first and second waves of ransomware attacks targeted home users almost exclusively, the cybercrime groups have now realized that businesses represent an even juicier target for their wares. The SamSam ransomware variant, among others, seems to be custom-built to target enterprises, looking for network shares and replicating among connected systems. The attackers have discovered that it’s more efficient and profitable to hit a major enterprise and pry a few thousand–or tens of thousands–of dollars out of the company than to victimize hundreds of individual consumers.
Last month, Rep. Ted Lieu (D-Calif.) introduced a bill that would require medical organizations to treat ransomware attacks as data breaches, and therefore fore them to issue breach notifications. Now, the Department of Health and Human Services has released new guidance on ransomware attacks that is meant to help organizations determine when they need to treat an attack as a breach of HIPAA, the health information privacy law.
“Organizations need to take steps to safeguard their data from ransomware attacks.”
The guidance makes it clear that any ransomware attack on a covered organization that encrypts private health data should be treated as a breach.
“Whether or not the presence of ransomware would be a breach under the HIPAA Rules is a fact-specific determination,” the document says.
“When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a ‘disclosure’ not permitted under the HIPAA Privacy Rule.”
The exception to this is if the victim organization can show that there is a “low probability that the PHI has been compromised”. In order to demonstrate that low probability, the organization has to conduct a risk assessment that takes into account four separate factors:
1. the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; 2. the unauthorized person who used the PHI or to whom the disclosure was made; 3. whether the PHI was actually acquired or viewed; and 4. the extent to which the risk to the PHI has been mitigated.
That leaves a lot of room for debate and interpretation. Even health care information that is encrypted by the organization before a ransomware attack may not be exempt from a disclosure, the HHS said.
“However, even if the PHI is encrypted in accordance with the HHS guidance, additional analysis may still be required to ensure that the encryption solution, as implemented, has rendered the affected PHI unreadable, unusable and indecipherable to unauthorized persons,” the agency said in the guidance.
Much of the guidance would depend on circumstances of a given breach. But Jocelyn Samuls of HHS said organizations need to plan for ransomware attacks before they happen.
“Organizations need to take steps to safeguard their data from ransomware attacks. HIPAA covered entities and business associates are required to develop and implement security incident procedures and response and reporting processes that are reasonable and appropriate to respond to malware and other security incidents,” Samuels, director of the Office for Civil Rights at HHS, said.