Imagine for a moment that your hospital or physician practice suddenly cannot access its electronic medical records. There hasn’t been a natural disaster. No, instead you are inexplicably staring at a computer screen from an unknown source demanding a hefty ransom to unlock your own records. Procedures must be delayed. Charts cannot be electronically updated. Medical and credentialing information stored in your system is exposed, not to mention other personal and proprietary electronic information. Operations are disrupted and confidence is at risk. You’ve just entered the world of a ransomware cyberattack.

Ransomware is malicious software that invades the host computer and encrypts data with a key known only to the hacker. It makes data inaccessible to authorized users until a ransom is paid, usually demanded in bitcoin. Left unchecked, it can infect and spread to local drives, attached drives, backup drives, and other networked systems.

The threat of ransomware is exploding. A 2016 Joint Report from the CIA, Departments of Justice and Homeland Security, and other federal agencies titled “How to Protect Your Networks from Ransomware” calls ransomware the “fastest growing malware threat.” The Joint Report estimates that there are more than 4,000 ransomware attacks every single day, representing a 300% increase over just last year.

Since the beginning of 2016, there have been multiple reports of hospitals and hospital systems attacked by ransomware. For example, in February, Hollywood Presbyterian Hospital in Los Angeles reportedly paid a $17,000 ransom to obtain decryption of its information. In March, ransomware attacked the MedStar Health system in Maryland, affecting 10 hospitals and more than 250 outpatient centers. Healthcare entities are particularly vulnerable because of the volume of information they manage, the value and sensitivity of the information, and the urgency with which providers must recover it.

Ramifications of ransomware attacks under HIPAA

Until recently, the scope of an entity’s HIPAA obligations regarding prevention and response to ransomware was unclear, primarily because the electronic protected health information (ePHI) is locked in, rather than stolen. Now, in a fact sheet titled “Ransomware and HIPAA,” the HHS Office for Civil Rights (OCR) has released significant new guidance designed to help healthcare entities better block attacks and recover more quickly from their effects. OCR plainly views a ransomware attack as a HIPAA “security incident,” and the guidance makes clear that OCR expects covered entities and their business associates to prepare and respond accordingly.

Both the new OCR guidance and the 2016 Joint Report outline the recommended practices for preventing and responding to ransomware. They emphasize two crucial elements of ransomware preparation: 1) workforce training for detecting and reporting instances of malware as quickly as possible, so that the entity can immediately activate its security response plan, and 2) maintaining robust contingency plans, security incident response procedures, and effective backups, ensuring the ability to discover, isolate, and stop the attack and restore data quickly and independently.

The most noteworthy aspect of the new guidance is OCR’s position that a ransomware infection may trigger HIPAA breach reporting obligations. OCR clarifies that the taking of possession or control of ePHI by an unauthorized individual is an unauthorized disclosure under the Privacy Rule. This disclosure is presumed to be a breach unless there is a low probability that the ePHI has been compromised, which can only be determined by an IT-intense, fact-specific risk assessment and evaluation of the attack — for example, the exact type and variant of malware discovered; the algorithmic steps undertaken by the malware; communications, including exfiltration attempts between the malware and attacker’s command and control services; whether the malware propagated to other systems, potentially affecting additional sources of ePHI; and the impact of the ransomware on the continuing integrity of the ePHI. The guidance makes clear that a high risk of unavailability of ePHI, or a high risk to its integrity, must be considered as indicators of compromise.

What about encryption? Traditionally, encryption has been the “gold standard” under HIPAA; the notice provisions do not apply to encrypted ePHI because the encryption has rendered the information unusable, unreadable, or indecipherable. For example, if a laptop with full disk encryption is properly shut down and powered off and then lost or stolen, the data would be unreadable to anyone other than the authenticated user. Unlike someone who finds a lost laptop in a taxicab, however, a ransomware hacker infiltrates the host system itself and accesses files from within. Depending on the type of encryption used, the files may or may not be encrypted at the point of access. A risk assessment following a ransomware attack must include an IT-intensive, fact-specific assessment of the state of the information at the time of the attack, in order to determine the probability of compromise.

Resources for cyber contingency planning

While compliance with any specific set of technical standards is not required by HIPAA, two recommended sources of technical best practices are the National Institute of Standards and Technology (NIST) of the U.S. Department of Commerce and the Office of the National Coordinator for Health Information Technology (ONC). Both publish recommended practices for cyber contingency planning, and ONC has produced a series of guides specifically designed to optimize electronic health record resilience (the “SAFER” Guides).

HIPAA compliance is a key component of thorough cybersecurity preparation. The more prepared you are to swing into Plan B, the more control of the situation you will have in the face of that frozen computer screen.