hipaa security rules enforcement

Navigating New OCR Guidance on Ransomware: 4 Critical Takeaways

The verdict is in: after much deliberation, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) confirmed that a ransomware attack should be classified as a breach of electronic protected health information (ePHI) under HIPAA, unless there is substantial evidence to the contrary. As we touched on in our previous blog, the OCR has released a fact sheet with specific guidance for managing HIPAA breach notification processes and overall risk in the face of ransomware attacks.

Covered entities and business associates are expected to comply with the HIPAA Security Rule (45 CFR Part 160 and Subparts A and C of Part 164) for protecting ePHI and with the associated HIPAA Breach Notification Rule (45 CFR §§ 164.400-414) processes in the event of a breach. The consequences of non-compliance can lead to a hefty fine and public disclosure of the breach incident. For instance, the OCR has announced nearly $15 million in settlement payments through the first seven months of 2016 to the HHS relating to compliance failures alleged against covered entities and business associates.

As Jocelyn Samuels, OCR Director, explained, “HIPAA covered entities and business associates are required to develop and implement security incident procedures, response, and reporting processes that are reasonable and appropriate to respond to malware and other security incidents.”

What are the responsibilities and requirements covered entities and business associates need to pay closer attention to in light of this announcement?

Here are four important takeaways from OCR guidance:

1. If you are able to prove “low probability that PHI has been compromised,” a ransomware attack may not be considered a reportable breach.

However, according to the OCR, HHS needs “reasonable evidence and documentation” from covered entities, and these entities are expected to complete a thorough risk assessment to uncover:

  • The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
  • The unauthorized person who used the PHI or to whom the disclosure was made;
  • Whether the PHI was actually acquired or viewed; and
  • The extent to which the risk to the PHI has been mitigated.

2. Employ a contingency plan involving disaster recovery, emergency preparedness, continuous backups, and testing.

A carefully considered and well-implemented approach to backups is important. It’s not enough to maintain backups, backup data must be recoverable in the event of a ransomware attack. Backup data that is hosted on the network can also be a target of ransomware. The OCR recommends maintaining backups offline and conducting periodic test restorations.

When performing these backup and restoration steps it is also important to validate data integrity, as HIPAA demands that certain data quality standards are upheld to meet compliance.

3. Train authorized users on best practices for detecting and responding to ransomware.

The OCR recommends that an entity’s workforce is trained to decipher the signs of a ransomware attack when the threat has slipped past other security measures. This level of recognition requires more of a proactive approach in understanding when a system could be in jeopardy, including the detection of unusual network activity or a change in the access of files.

The OCR outlines a number of the potential warning signs of a ransomware attack in its fact sheet.

4. Determine the ransomware variant and whether the data was exfiltrated.

Even if it seems that a ransomware incident ends once the payment is made and files have been decrypted, the possibility that sensitive data can still be transferred and controlled by the attackers must not be overlooked.

As OCR guidance explains in detail, identifying and reviewing research on the particular strain of malware that has infected a system can go a long way in determining whether that form of malware can exfiltrate data.

Of course, acting on these takeaways is easier said than done. Having a qualified partner ready to assist in performing these and other preventative measures – or at the very least, identifying and vetting a partner to provide assistance prior to a crisis situation – is well worth the time and effort.

Check out our healthcare page to learn how we can help you.