Hostage Situation – New Guidance to Health Care Organizations on Ransomware Attacks

August 4, 2016

A growing threat to the privacy of health information is the use of "ransomware" to attack hospitals' and other health care organizations' electronic health records systems. These attacks have increased dramatically in 2016 and now represent the fastest-growing malware threat in the US, according to the FBI. In response, the Office for Civil Rights of the U.S. Department of Health and Human Services has released new guidance to health care entities on how to address ransomware attacks.

What Is Ransomware?

Ransomware is a kind of malicious software that encrypts data already on someone else's computer, so that it would be readable only by the party that sent the ransomware. After the ransomware has completed its task, it directs the computer's owner to pay a ransom to the sender in exchange for a "key" that will decrypt the data. Ransomware is often delivered through infected websites or through spam and phishing email messages, activating when a user follows a link or opens the attachment.

Must Ransomware Attacks Be Reported as Security Breaches?

The rules issued under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) generally require a health care organization to report a breach of unsecured health information to patients, the Department of Health and Human Services, and in some cases the media. The Office for Civil Rights has indicated that the encryption of unsecured health information by ransomware is a security incident and is presumed to be a reportable breach, unless the entity can demonstrate and document that there is low probability that the health information was compromised. The rationale is that through the attack, the sender of ransomware takes control of the unsecured information, which is an unauthorized disclosure that is not permitted by the HIPAA rules.

The guidance from the Office for Civil Rights sets out how to conduct a risk assessment to determine the probability that the unsecured data were compromised, adding additional possible factors specifically for ransomware to those already given in the HIPAA rules.

The guidance also addresses ransomware attacks on secured health information. If the data had been secured in accordance with previous guidance issued by the U.S. Department of Health and Human Services a breach would normally not be reportable. However, the circumstances of both the victim's encryption solution and the particular ransomware attack could render those data transparently decrypted, giving rise to reporting obligations.

Could a Randsomware Attack Give Rise to Other HIPAA Sanctions?

In addition to urging that entities having infected systems not pay ransoms, the new guidance highlights activities currently required under HIPAA that can help prevent, detect, contain, and respond to ransomware attacks. A health care provider could be found to have violated the HIPAA rules for failure to carry out such activities, such as:

  • conducting a risk analysis to identify threats to electronic health information,
  • establishing a plan to mitigate identified risks,
  • implementing procedures to safeguard against malicious software,
  • training users to detect and report malicious software infections,
  • limiting access to electronic health information to only those people requiring access, and
  • maintaining an overall contingency plan that includes disaster recovery, emergency operations, frequent data backups, and test restorations.

For example, in December 2015, a health care provider entered into a settlement agreement with the Office for Civil Rights that included a $750,000 fine, as a result of an employee's downloading an email attachment containing malware.

For health care organizations, due to the heightened sensitivity of the information that they hold and the security and reporting requirements to which they are subject, more is at stake in a ransomware attack than simply using a backup to recover the data that were encrypted and then resuming normal operations. Therefore, health care organizations should carefully evaluate the effectiveness of their procedures for preventing and responding to a ransomware attack.

Firm Highlights
News

Lewis Rice Wins Nearly $500,000 in Compensation for Sarasota Landowners

More
Client Alert

FTC Adds Teeth to the ‘Made in USA’ Rule

More
News

Four Lewis Rice Attorneys Named 2022 “Lawyer of the Year” by Best Lawyers

More
Client Alert

Missouri Now Requires Employers to Provide Leave and Accommodations for Victims of Domestic and Sexual Violence

More
News

Lauren R. Carey Creates New Blog for Social Media Influencers

More
News

Lewis Rice Recognized as Top M&A Firm by BTI Consulting Group

More
Diversity & Inclusion

Golf Foundation of Missouri Awards First Larry L. Deskins, Sr. Scholarship

More
Client Alert

Supreme Court Limits Ability to Compel Access to Private Property Without Compensation

More
News

David W. Sweeney Represents Advantes Group in $7.2 Million Apartment Project

More
Client Alert

FTC Reverses Course on Treatment of Debt Payoff Under HSR Act

More
Client Alert

Property Owners Can Push the Issue Under Illinois Mechanic’s Lien Law

More
News

Brian P. Pezza Quoted in SHRM Articles on Employee Vaccination Status Disclosure and Employer Vaccination Policies

More
News

Lewis Rice Wins $1.5 Million in Compensation for Covington Landowners

More
News

Michael R. Thiessen Recognized as Pro Bono Spotlight by KCMBF for August

More
Client Alert

OSHA’s New Guidance Regarding Indoor Mask Wearing, COVID-19 Vaccination Mandates, Regular Testing of Unvaccinated Workers, and More

More
News

Neal F. Perryman Named to Missouri’s POWER List in Employment Law by Missouri Lawyers Media

More
News

John C. Bodnar Named BTI M&A Client Service All-Star

More
News

61 Lewis Rice Attorneys Named Best Lawyers for 2022, 16 Named Ones to Watch

More
News

Michael D. Mulligan Publishes Article in ACTEC Law Journal Comparing Sales to an Intentionally Defective Irrevocable Trust and a to Beneficiary Intentionally Defective Irrevocable Trust

More
News

Matthew J. Haas Offers Commentary for Inside P&C Article on Business Interruption Insurance and COVID-19

More