Remaining Compliant with OCR’s Ransomware Guidance
Ransomware. This term has gained notoriety beyond compliance and privacy officers, becoming a household word thanks to the proliferation of news stories surrounding ransomware attacks in the media.
If it seems like you can’t turn to your favorite news source without seeing another instance of data being held hostage, you aren’t alone. Interagency guidance from the US Government cites a statistic indicating that ransomware attacks are up 300% since this year, and on average occur 4,000 times a day.
What is Ransomware?
Ransomware is a type of malware (malicious software) distinct from other malware; its defining characteristic is that it attempts to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker who deployed the malware, until a ransom is paid. After the user’s data is encrypted, the ransomware directs the user to pay the ransom to the hacker (usually in a cryptocurrency, such as Bitcoin) in order to receive a decryption key. However, hackers may deploy ransomware that also destroys or exfiltrates data, or ransomware in conjunction with other malware that does so.
The true cost of these attacks reaches far beyond the actual sum of the ransom. There is an additional cost associated with:
- Loss of access to the ransomed information
- Disruption to business processes and an organization’s security
- Potential impact on customers and an organization’s ability to serve them
- Potential impact on an organization’s reputation
As of July 11th, there is an additional cost associated with this type of malicious attack for HIPAA-regulated entities: new guidance that even if data is encrypted, ransomware may trigger the HIPAA Breach Notification Rule and thus requires a multi-factor risk assessment.
Ransomware – now a notifiable breach for HIPAA-regulated entities
The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) recently issued new guidance on ransomware that addresses the question of whether a ransomware incident is a reportable breach. Cited as “essential reading for CISOs, CIOs, and all members of the senior leadership team,” this guidance significantly impacts the way HIPAA-regulated entities will need to assess and respond to ransomware attacks and remain compliant with HIPAA Rules.
The new guidance makes it clear that notification may be required, even in the case where protected health information (PHI) is encrypted:
“However, even if the PHI is encrypted in accordance with the HHS guidance, additional analysis may still be required to ensure that the encryption solution, as implemented, has rendered the affected PHI unreadable, unusable and indecipherable to unauthorized persons.”
– Office for Civil Rights, Fact Sheet: Ransomware and HIPAA
A key new piece of the OCR guidance is that, as part of demonstrating “there is a low probability that the PHI has been compromised,” entities should consider risk factors such as the high risk of unavailability of the data, or high risk to the integrity of data.
Unless an entity can demonstrate a low probability of compromise based on the new guidance, a ransomware attack is considered a reportable breach. This is a stark departure from a previously commonly held opinion that if the ransomware attack involved already encrypted data, the incident wasn’t considered reportable as a breach.
When to notify?
Under this new guidance, the security or privacy of the PHI is considered to have been compromised – even when encrypted – if the data is under the control of an unauthorized individual, and thus not accessible to the organization or creating high risk to the integrity of the data.
There are mitigating factors in which a ransomware attack may not be a notifiable breach, in the event that the covered entity or business associate can demonstrate a low probability that the PHI has been compromised. The process requires that entities conduct a four factor risk assessment according to the HIPAA Breach Notification Rule while augmenting the risk factors with the newly published ransomware specific guidance –see section 7 of the Ransomware Fact Sheet – to determine notification obligations due to a ransomware attack. The four factors are:
- The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification
- The unauthorized person who used the PHI or to whom the disclosure was made
- Whether the PHI was actually acquired or viewed
- The extent to which the risk to the PHI has been mitigated
Additional risk factors, such as the risk of the data being unavailable for use, or if the data can be easily recovered from backup, should be incorporated in the risk assessment process to determine if a ransomware attack is a notifiable breach.
What do Privacy and Security Officers Need to Know?
Remaining compliant with OCR’s guidance requires that HIPAA-regulated entities – both covered entities and business associates alike – perform a risk assessment and maintain documentation that established a low probability of compromise in order to meet their burden of proof.
How is a ransomware attack factored into an assessment using RADAR?
For RADAR customers, assessing a ransomware attack is built into the RADAR platform. Risk factor options allow you to profile and assess a ransomware incident in accordance to OCR’s Guidance.
In the end, developing a culture of compliance through strict adherence to OCR guidance is something that organizations should strive for every day – beyond the context of ransomware attacks, and not just when the possibility of a breach is front of mind.
- Fact Sheet: Ransomware and HIPAA, issued by HHS