What You Need To Know About The New HIPAA Guidance On Ransomware

By Laurie Zabel, Director of Coding & Compliance, MedSafe

In 2015, Ransomware cost the U.S. healthcare industry nearly $6 billion. Even more concerning is that there has been a 300 percent increase in ransomware attacks in 2016, according to a recent report from the U.S. Government.

Ransomware is a type of malicious software that encrypts data, making it inaccessible to authorized users. After the data is encrypted, the hacker demands a ransom, which is typically in Bitcoin to maintain anonymity. Ransomware is most often deployed using tactics such as spam, phishing messages, websites, and email attachments that infect a computer system once the user clicks on the link or opens the attachment.

Ransomware has been around since the early 80’s, however cyber-criminals have only recently been using it to wage war against the healthcare industry. Hospitals are most vulnerable because their systems contain crucial information required to care for the sick. Without this data, operations can be drastically impacted, and lives can be at stake. This makes it more likely that a hospital will pay the ransom in order to resume operations, allowing thieves to collect their payday.

HIPAA now requires all covered entities and business associates to provide appropriate security training on malicious software. Entities and business associates must also develop and implement security incident reporting and response procedures in the event of an attack. In order to assist healthcare organizations in better understanding and responding to the threat of ransomware, the HHS Office for Civil Rights has released new HIPAA guidance requirements and security measures, which include the following:

• Conduct a risk analysis to identify threats and vulnerabilities to electronic protected health information (ePHI), then implement security measures to mitigate those identified risks;
• Implement procedures to guard against and detect malicious software;
• Train users on malicious software protection so they can report and assist in detecting malicious software;
• Implement access controls to limit access to ePHI to only those persons or software programs requiring access.

An entity’s security response activities should begin with the following:

• Determine the scope of the incident to identify what networks, systems, or applications are affected;
• Determine the origination of the incident (who/what/where/when);
• Determine whether the incident is finished or is still ongoing;
• Determine how the incident occurred (e.g., tools and attack methods used, vulnerabilities exploited).

These first steps should help in prioritizing the appropriate response and serve as a foundation for a more in-depth analysis of the incident and its impact. Security incident procedures for responding to and reporting security incidents are also required by HIPAA and should include:

• Detect and conduct an initial analysis of the ransomware;
• Contain the impact and propagation of the ransomware;
• Remove instances of ransomware and mitigate vulnerabilities that permitted the ransomware attack;
• Recover from the ransomware attack by restoring data lost during the attack;
• Conduct post-incident activities and incorporate any lessons learned into the overall security management process to improve incident response effectiveness for future security incidents.

According to HIPAA, when electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, it is considered to be a breach. Unless the entity can demonstrate there is a “…low probability that the PHI has been compromised.”

Once the breach has occurred, the entity must provide notification to the affected individuals without unreasonable delay, to the Secretary of HHS, and to the media (for breaches affecting over 500 individuals) in accordance with HIPAA breach notification requirements.

To demonstrate that there is a low probability that the protected health information (PHI) has been compromised because of a breach, a risk assessment considering at least the following four factors must be conducted:

1. The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
2. The unauthorized person who used the PHI or to whom the disclosure was made;
3. Whether the PHI was actually acquired or viewed; and
4. The extent to which the risk to the PHI has been mitigated.

The risk assessment to determine whether there is a low probability of compromise of the PHI must be thorough, completed in good faith and reach conclusions that are reasonable given the circumstances. Furthermore, covered entities and business associates must maintain supporting documentation sufficient to meet their burden of proof regarding including:

• Documentation of the risk assessment demonstrating the conclusions reached;
• Documentation of any exceptions determined to be applicable to the impermissible use or disclosure of the PHI; and
• Documentation demonstrating that all notifications were made, if a determination was made that the impermissible use or disclosure was a reportable breach.