Data for ransom: OCR offers ransomware guidance

Hackers throughout the world are kidnapping data and holding it for ransom, requiring the lawful data  holders to pay large sums of money–often in cryptocurrency, such as Bitcoins–if they want it back. Attacks have increased by 300 percent, from 1,000 per day in 2015 to 4,000 per day in early 2016. HHS, in conjunction with the U.S. Departments of Homeland Security and Justice, recently disseminated guidance about protecting networks from ransomware and responding to attacks (see Lawmakers, agencies raise specter of ransomware threats to cybersecurity, Health Law Daily, June 30, 2016).  An attack on protected health information (PHI) can have particular ramifications for covered entities (CEs) and business associates (BAs) pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (P.L. 104-191Security and Breach Notification rules. As a result, the HHS Office for Civil Rights has issued its own fact sheet on the intersection of ransomware and HIPAA and ways CEs and providers can protect themselves and mitigate damages.


In ransomware attacks, hackers infect systems with malicious software that encrypts data and makes it inaccessible to authorized users; they then insist on ransom payment in exchange for a key that will decrypt the data.  In some instances, however, ransomware may destroy or exfiltrate data, transferring it elsewhere.  The OCR notes that basic Security Rule compliance will help CEs and BAs prevent ransomware attacks. Organizations should already be performing risk analyses to identify threats and vulnerabilities and implementing procedures and other measures to prevent attacks, which include training users about malicious software and limiting access to only those people requiring access to electronic PHI (ePHI).

Ransomware attacks often go undetected until a hacker contacts an entity, demanding payment.  However, workforce members should be trained to look for early signs of an attack, including knowledge that they have clicked on link, opened an attachment, or visited a website that is potentially malicious; an increase in central processing unit (CPU) and disk activity for no apparent reason; an inability to access certain files; and suspicious network communications.

Frequent data backups can prevent day-to-day operations from coming to a halt in the event of an attack.  The OCR recommends that organizations maintain backups offline in order to make them inaccessible from their networks.  The agency highlighted the importance of performing periodic test restorations to ensure that an entity would be able to restore data that has been backed up should an attack occur. Pursuant to the HIPAA Security Rule, entities should have security incident response procedures in place in order to address various types of security incidents; in the case of ransomware, the procedures should allow them to quickly detect and analyze the ransomware, contain the impact, eradicate the ransomware, and restore lost data. The presence of ransomware is a security incident  pursuant to the Security Rule and entities must initiate security incident and response and reporting procedures (see 45 C.F.R. secs. 164.304, 164.308(a)(6)).

Breach notification

Covered entities and BAs must determine on a case-by-case basis whether the presence of ransomware constitutes a reportable breach under the Breach Notification Rule (see 45 C.F.R. 164.402) or whether there is a low probability that the PHI has been compromised (see 45 C.F.R. 164.402(2)). In the event that ePHI was encrypted prior to the attack to the extent that it is not considered “unsecured,” there is no requirement to conduct an assessment as to the probability of compromise or to notify individuals and entities of a breach. However, organizations must be sure that the encryption is truly effective. For example, a full disk encryption solution may make data on a hard drive unreadable to unauthorized parties if the system is powered down.  However, that same data may be accessible in the event that the hard drive is in use by an authorized user who performs an action infecting the computer with ransomware.

Organizations must be prepared to fend off and respond to ransomware attacks.  The OCR wants to be sure these entities are ready when faced with a choice between their money and their PHI.