Kusserow on Compliance: 2016 ransomware and HIPAA data breaches

The HHS Office for Civil Rights (OCR) continues to report most reported Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191) Privacy Rule violations were due to unauthorized access or disclosure, but cyber attacks are now a close second. Cyber attacks have been very significant in the last couple of years with the number of such breaches rising to dramatic levels during 2016. The OCR reported at the end of November that scammers were using fake OCR emails to advance their schemes. No one knows for sure how many data breaches occur, but from what is known, the number may average more than one per day. The broad category of data breaches include actions by those inside the organization, as well as external attacks including phishing, hacking, and ransomware. The most disturbing trend involves ransomware, which typically involves a sophisticated computer virus introduced into a victim’s system that encrypts the system’s data. The attackers threaten to delete the private key needed to decrypt the files unless the owners of the information pay a ransom, typically in an untraceable digital currency such as Bitcoin. Health care industry stakeholders, particularly hospitals, have proven to be soft targets, as they need to have immediate access to their patient information, and many have paid the ransom to regain control over it.  There have been some major payouts by health care organizations to regain control over their data and information.

Dr. Cornelia Dorfschmid, a national expert on the subject of ransomware attacks, notes they have been growing as an internet threat for more than a decade, but have only recently become prominent in health care. The health care sector is considered a soft target, particularly hospitals, which are the perfect mark for this kind of extortion in that they provide critical care and rely on up-to-date information from patient records. Without quick access to drug histories, surgery directives, and other information, patient care can get delayed or halted, which makes hospitals more likely to pay a ransom rather than risk delays that could result in death and lawsuits.

Tom Herrmann, J.D., explained that both the OCR and CMS found that many questioned whether ransomware attacks were even reportable HIPAA breaches. The reasoning was the attackers don’t have interest in accessing, copying, exfiltrating, or exporting the files they capture. They just want to hold it out of their target’s control, until they are paid.  Both CMS and the OCR disagreed and took the position that attack is also likely a data breach which must be reported like any HIPAA violation.  In July, the OCR then released guidance that made it clear that a ransomware attack is a reportable security incident and must be publicly reported in a timely manner or an covered entity or business associate will face severe penalties. Since the release of the OCR guidance, there has been a continued increase in the number of reported attacks.  Some of that increase may be a result of some health care organizations just considering the payment of ransom as the price of doing business.  They no longer can do that without risking severe penalties and the OCR has been entering into very large settlements, many of which have been over $1 million.  A recent example of this enforcement effort is the University of Massachusetts’ $650,000 HIPAA settlement after a breach of unsecured protected health information (PHI) in which the OCR found a number of security and compliance gaps, including the absence of firewalls, as well as failure to meet basic HIPAA security requirements, including conducting thorough organization-wide risk analyses, proper training of staff, and the implementation of applicable policies and procedures.

OCR guidance to prevent data breaches and ransomware attacks

The OCR guidance discusses:

  • conducting a risk analysis to identify threats and vulnerabilities to electronic PHI (ePHI);
  • establishing ways to mitigate or remediate these identified risks;
  • implementing procedures to take precautions against malware;
  • training users to detect malware and report such detections;
  • limiting access to PHI to people and software requiring such access;
  • maintaining disaster recovery, emergency operations, frequent data backups, and practice restorations.

The fact is that organizations have tools available that can strengthen security and may just need to address a basic lack of security measures.


To protect against ransomware, organizations should:

  • train employees to understand breaches often occur when opening an email link or attachment, or respond to “phishing” inquiries
  • conduct an ePHI vulnerabilities assessment and mitigate or remediate identified risks;
  • address any lack of security technology protecting data and information, including firewalls, email, or web traffic filters;
  • focus security efforts on those files that are most critical patient records;
  • consider using passphrases rather than passwords;
  • develop and implement policies and procedures on how to take precautions against malware;
  • limit access to PHI to people and software requiring such access;
  • maintain disaster recovery, emergency operations, and frequent data backups to permit restoration of lost data in case of an attack;
  • configure email servers to block zip or other files that are likely to be malicious;
  • move quickly on any report of an attack to prevent the malware from spreading, by disconnecting infected systems from a network, disabling Wi-Fi, and removing USB sticks or external hard drives connected to an infected computer system; and
  • limit those who can access files on a single server, so that if a server gets infected, it won’t spread to everyone.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2016 Strategic Management Services, LLC. Published with permission.