Publications

Hostage Situation – New Guidance to Health Care Organizations on Ransomware Attacks

August 4, 2016

A growing threat to the privacy of health information is the use of "ransomware" to attack hospitals' and other health care organizations' electronic health records systems. These attacks have increased dramatically in 2016 and now represent the fastest-growing malware threat in the US, according to the FBI. In response, the Office for Civil Rights of the U.S. Department of Health and Human Services has released new guidance to health care entities on how to address ransomware attacks.

What Is Ransomware?

Ransomware is a kind of malicious software that encrypts data already on someone else's computer, so that it would be readable only by the party that sent the ransomware. After the ransomware has completed its task, it directs the computer's owner to pay a ransom to the sender in exchange for a "key" that will decrypt the data. Ransomware is often delivered through infected websites or through spam and phishing email messages, activating when a user follows a link or opens the attachment.

Must Ransomware Attacks Be Reported as Security Breaches?

The rules issued under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) generally require a health care organization to report a breach of unsecured health information to patients, the Department of Health and Human Services, and in some cases the media. The Office for Civil Rights has indicated that the encryption of unsecured health information by ransomware is a security incident and is presumed to be a reportable breach, unless the entity can demonstrate and document that there is low probability that the health information was compromised. The rationale is that through the attack, the sender of ransomware takes control of the unsecured information, which is an unauthorized disclosure that is not permitted by the HIPAA rules.

The guidance from the Office for Civil Rights sets out how to conduct a risk assessment to determine the probability that the unsecured data were compromised, adding additional possible factors specifically for ransomware to those already given in the HIPAA rules.

The guidance also addresses ransomware attacks on secured health information. If the data had been secured in accordance with previous guidance issued by the U.S. Department of Health and Human Services a breach would normally not be reportable. However, the circumstances of both the victim's encryption solution and the particular ransomware attack could render those data transparently decrypted, giving rise to reporting obligations.

Could a Randsomware Attack Give Rise to Other HIPAA Sanctions?

In addition to urging that entities having infected systems not pay ransoms, the new guidance highlights activities currently required under HIPAA that can help prevent, detect, contain, and respond to ransomware attacks. A health care provider could be found to have violated the HIPAA rules for failure to carry out such activities, such as:

  • conducting a risk analysis to identify threats to electronic health information,
  • establishing a plan to mitigate identified risks,
  • implementing procedures to safeguard against malicious software,
  • training users to detect and report malicious software infections,
  • limiting access to electronic health information to only those people requiring access, and
  • maintaining an overall contingency plan that includes disaster recovery, emergency operations, frequent data backups, and test restorations.

For example, in December 2015, a health care provider entered into a settlement agreement with the Office for Civil Rights that included a $750,000 fine, as a result of an employee's downloading an email attachment containing malware.

For health care organizations, due to the heightened sensitivity of the information that they hold and the security and reporting requirements to which they are subject, more is at stake in a ransomware attack than simply using a backup to recover the data that were encrypted and then resuming normal operations. Therefore, health care organizations should carefully evaluate the effectiveness of their procedures for preventing and responding to a ransomware attack.

Firm Highlights
News

Lewis Rice Names Three New Members of the Firm

More
News

Lewis Rice Kansas City Office Names Four New Members of the Firm

More
Client Alert

Important Update – The Corporate Transparency Act: What Small (and Not-So-Small) Businesses Need to Do

More
Diversity & Inclusion

BLSA Recognizes Lewis Rice with “Leader in Diversity” Award

More
Client Alert

Department of Labor Retools FLSA Independent Contractor Rule – Again

More
Client Alert

Federal Funds Available for Energy Investments Powering Up in 2024

More
News

FarmProgress Discusses Rails to Trails Compensation

More
News

Michael P. Davidson Named to Missouri’s 2024 POWER List in Health Care Law

More
Client Alert

New Hampshire: the 14th State to Enact a Comprehensive Privacy Law

More

Lewis Rice LLC (“we”) use cookies to improve our products and your experience on our websites by evaluating the use of our website and services, to personalize content and ads, to provide social media features and to analyze our traffic. We also share information about your use of our site with our social media, advertising and analytics service providers. For more information, please see our Cookie Policy.

By continuing to browse or by clicking “Accept All Cookies” you direct us to disclose your personal information to these service providers for those purposes and agree to the storing of first-party and third-party cookies on your device.