Neda M. Ryan, Esq.
Compliance Counsel, MiraMed Global Services, Inc., Jackson, MI
Imagine seeing the following message flash onto your computer screen: “Many of your documents, photos, videos, databases and other files are no longer accessible because they have been encrypted.” What would you do?
That is the message computer users in more than 150 countries throughout the world saw on May 12, 2017 when their computers became infected with WannaCry, a ransomware program. The attack left several businesses, including many health organizations, scrambling to protect their data.
Although the number of WannaCry attacks in the United States was limited, this should be a reminder to all, especially healthcare organizations, to be prepared. The attack highlights the importance of complying with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) requirements, which promote security of protected health information, and prudent computer and internet use.
Ransomware is a type of malicious software used by hackers to encrypt the user’s data and deny access to it until the user pays a ransom, usually in the form of a cryptocurrency like bitcoin. Hackers can also deploy ransomware that will destroy data.
In the case of the WannaCry virus, hackers exploited a known Microsoft Windows vulnerability and infected computers that did not have a security patch designed to fix the issue. The hackers encrypted the data and demanded $300 in bitcoin in order for it to be decrypted. By the second day, the amount went up to $600. After seven days, the data would be deleted.
Unfortunately, this is becoming a fairly common occurrence. According to a U.S. government interagency report, an average of 4,000 ransomware attacks occurred per day in the U.S. since early 2016. This marks a 300 percent increase from the 1,000 daily attacks reported in 2015.¹
HIPAA Security Rule
Healthcare organizations are already required to follow HIPAA, which guards against the unauthorized access of electronic protected health information (ePHI). Specifically, the Security Rule establishes minimum technical, administrative and physical requirements that entities must follow in order to protect ePHI.
Requirements include implementing a security management process to identify threats and vulnerabilities to ePHI, mitigating the identified risks, and creating procedures to guard against and detect malicious software.
One of the security management processes is a risk analysis. This type of analysis is the foundational element and first step in identifying and implementing safeguards required by the Security Rule. Methods vary depending on the entity’s size, complexity and capabilities.
Information from the National Institute of Standards and Technology (NIST) details factors that entities should consider in designing a risk analysis. Factors to consider include identifying sources of ePHI—both within the organization and outside of it. Also, the plan should consider the human, natural and environmental threats to ePHI.
To assist in these endeavors, the Department of Health and Human Services Office of the National Coordinator for Health Information Technology (HHS ONC) has developed an online Security Risk Assessment Tool. Results from the risk analysis can be used to create policies for personnel screening; determine what data to back up; determine whether and how to use encryption; address what data must be authenticated to protect its integrity; and determine the appropriate manner of protecting ePHI transmissions.
Data Backup Plan
HIPAA also requires entities to create a data backup plan as part of an overall contingency plan to protect ePHI.
Requirements include a data backup plan that creates and maintains retrievable data and exact copies of ePHI. Also included is a disaster recovery plan for restoring any loss of data. Finally, an emergency mode operation plan details procedures to allow the continuation of critical business operations and protect ePHI while the system is in emergency mode.
In a fact sheet about ransomware attacks, HHS underscores the importance of maintaining frequent backups and ensuring the ability to recover data from those backups to effectively recover from a ransomware attack. According to HHS, “[t]est restorations should be periodically conducted to verify the integrity of backed up data and provide confidence in an organization’s data restoration capabilities. Because some ransomware variants have been known to remove or otherwise disrupt online backups, entities should consider maintaining backups offline and unavailable from their networks.”²
If a Ransomware Attack Occurs
HIPAA requires entities to have detailed procedures in place to use when responding to an attack in order to get back to “business as usual.” The procedures should include ways to detect ransomware, how to conduct a risk analysis and ways to stop malware from spreading in the case of an attack. Post-incident activities should also include considering what, if any, type of notification is required by law, how the attack happened and if improvements need to be made in order to prevent it from happening again.
Employees should be educated on prudent computer and internet use. Employees should also be educated on ways to detect and respond to ransomware. Employees should know how to tell if an attack is occurring and what to do after clicking on something they later deem suspicious.
HHS recommends the following steps if an organization is the victim of a ransomware attack:
- Contact your FBI National Cyber Investigative Task Force immediately to report the event and request assistance. The task force will work with state and local law enforcement and other partners to pursue cybercriminals globally and assist the victims.
- Report cyber incidents to the US-CERT (United States Computer Emergency Readiness Team) and the FBI’s Internet Crime Complaint Center.
Organizations should also immediately contact their attorneys. Notifications to individuals, HHS and, in some instances, the media, under HIPAA should be considered very thoughtfully and with the assistance of counsel. Organizations should also consider the applicable state law requirements and ramifications. The question of whether a ransomware attack amounts to a HIPAA breach is one of industry debate. Iliana Peters, a HIPAA compliance and enforcement official at the Office of Civil Rights (OCR), announced at a Georgetown University Law Center cybersecurity conference that OCR will “presume a breach has occurred” when a HIPAA covered entity or business associate is the victim of a ransomware attack. However, industry experts argue that this theoretical position does not marry with how a ransomware attack works in actuality. Nevertheless, an overarching conclusion cannot be drawn without considering the facts and circumstances of a particular attack or event. However, victims of ransomware attacks must be aware of this possibility and should consider this with their attorneys.
Ways to Protect Your Practice
The risk of a ransomware attack targeting a healthcare organization, especially a smaller one, is great. Ransomware attackers know that healthcare organizations are notoriously unprepared for such attacks, making them prime targets. As such, hospitals and medical practices should take care to conduct security risk assessments; fill in gaps, either through policy or technological improvements; adopt ransomware attack policies and educate their employees and staff on them; and purchase a cyber liability insurance policy to protect in the event a ransomware attack occurs. Now is the time to take action.
For the most current federal government information regarding ransomware attacks, go to http://www.us-cert.gov.
Note: The author extends special thanks to Amy Ryman, paralegal and executive administrative assistant at MiraMed, for her contributions to this article.