HHS issued Ransomware guidance recently that clarified that a ransomware attack involving ePHI (electronic Protected Health Information) is a HIPAA breach unless the Covered Entity of Business Associate can demonstrate that there is a low probability that the PHI has been compromised.

Ransomware is a type of malicious software that denies access to data, generally by encrypting the data with a private encryption key that is only provided once the ransom is paid. Sometimes the ransomware will steal, destroy or export data from information systems. According to the guidance, since early 2016 there have been, on average, 4,000 ransomware attacks each day.

The new guidance reinforces activities required by HIPAA that can help organizations prevent, detect, contain, and respond to threats, specifically (from the guidance):

  • Conducting a risk analysis to identify threats and vulnerabilities to electronic protected health information (ePHI) and establishing a plan to mitigate or remediate those identified risks;
  • Implementing procedures to safeguard against malicious software;
  • Training authorized users on detecting malicious software and report such detections;
  • Limiting access to ePHI to only those persons or software programs requiring access; and
  • Maintaining an overall contingency plan that includes disaster recovery, emergency operations, frequent data backups, and test restorations.

Under the HIPAA Breach Notification Rule, the guidance makes clear that a ransomware attack usually results in a breach of healthcare information. As noted in the guidance, and under the Rule, entities experiencing a breach of unsecured PHI must notify HHS, individuals whose information is involved in the breach, and in some cases, the media, unless the entity can document and demonstrate that there is a low probability that the information was compromised.