New HIPAA Guidance on Ransomware: OCR’s encryption “gold standard” is no longer “golden”

By Margaret Young Levi and Kathie McDonald-McClure

softwareRansomware encrypts a user’s data and denies access to that data until a ransom is paid. The U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has released new guidance to help health care entities better understand and respond to the ever-increasing threat of ransomware.  On July 11, 2016, HHS posted a blog entitled “Your Money or Your PHI: New Guidance on Ransomware.”  The HHS blog post includes a Fact Sheet for health care entities regarding ransomware.  This blog post highlights some of the more striking points in the OCR Fact Sheet and considerations for entities subject to HIPAA in addressing ransomware attacks.

Ransomware can cause harm beyond denying access to data.  The OCR Fact Sheet provides useful technical details about how ransomware malware works, and notes that data can be exfiltrated (i.e., transferred outside the computer network system).  Exfiltration can occur before or after the ransomware attack that encrypts the data.  It depends on the type of malware employed in the attack.  An April 2016 ransomware report from the Institute for Critical Infrastructure Technology (ICIT) provides even more technical details about the types of ransomware currently in use.  The ICIT report states that advanced persistent threats (APTs) and other hackers interested in collecting confidential data use ransomware as a form of distraction while stealthily using other malware to exfiltrate data.

The use of ransomware has skyrocketed.  According to OCR, the number of ransomware attacks has risen steeply in the last year, from an average of 1,000 per day in 2015 to an average of 4,000 attacks daily since January 1, 2016, including some very public attacks on hospitals.  Hospitals and other health care providers are especially vulnerable to ransomware attacks because they possess sensitive information to which they must maintain access in order to care for patients.  In response to this growing threat, the OCR Fact Sheet “describes ransomware attack prevention and recovery from a healthcare sector perspective, including the role the Health Insurance Portability and Accountability Act (HIPAA) has in assisting HIPAA covered entities and business associates to prevent and recover from ransomware attacks, and how HIPAA breach notification processes should be managed in response to a ransomware attack.”

OCR’s position is that a ransomware attack is a “breach”, period.  Whether notification is required under HIPAA depends on the entity’s documented investigation into the event.  A HIPAA breach analysis under the applicable regulations involves determining whether protected health information (PHI) has been compromised.  There has been some controversy over whether the OCR Fact Sheet is giving some latitude to conclude that there is not breach with a ransomware event.  However, on good authority, OCR’s position is that because the attacker has gained control over the computer data by encrypting files, this constitutes “unauthorized access” and a “breach”.  Notification will be required unless the entity’s investigation determines that there has not been a “compromise” of PHI.  Per OCR, while control constitutes a “security incident” and a “breach”, whether the presence of the ransomware escalates the event from a breach that must be reported to OCR depends on the facts and, in the case of most ransomware, a forensics analysis.

OCR states that it is up to the covered entity or business associate to refute the presumption of a breach requiring notification by demonstrating there is a “low probability that the PHI has been compromised.”  In other words, when there is a security incident involving PHI, a breach is presumed unless it is refuted by a LoProCo analysis.  Bottom-line: Per the OCR Fact Sheet, a covered entity or business associate that suffers a ransomware attack involving ePHI must either notify patients whose ePHI was involved in the attack or refute the presumption that the ePHI was compromised by gathering specific facts under a LoProCo analysis that support a low probability of compromise due to the ransomware attack.

Conducting a LoProCo analysis of a ransomware attack According to the Fact Sheet, the LoProCo analysis, at a minimum, must consider the following four factors:

  1. The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification (for example, was the ransomware attack on unencrypted or encrypted electronic health records or was it isolated to a few desktop computers of the workforce that do not have access to PHI?);
  2. The unauthorized person who used the PHI or to whom the disclosure was made (with ransomware, the unauthorized person is a hacker, as opposed to a lab report faxed to the wrong healthcare provider who respects the report’s confidentiality and returns it);
  3. Whether the PHI was actually acquired or viewed (e.g., the exact type and variant of malware, which will likely require a computer forensics review); and
  4. The extent to which the risk to the PHI has been mitigated (e.g., was the lost PHI recovered?)

Entities subject to a ransomware attack will need an expert in computer forensics to assess, among other things:

  • Whether the ransomware attack allowed the hackers to exfiltrate the data either before or after the attack.
  • Whether the exfiltrated data was encrypted by the entity before the attack and can be accessed once exfiltrated.
  • Whether the type of ransomware attack would have allowed the intruder to collect passwords or keys that would enable access to otherwise encrypted or password-protected ePHI.

HIPAA-covered entities are not out of the woods with OCR even if the results of a LoProCo analysis are that there is a low risk of compromise to actual ePHI.  OCR suggests that the LoProCo analysis should go beyond the regulatory requirements by focusing not only on whether the data was acquired or viewed, but also on whether it is no longer available to health care entities and patients and, thus, poses harm to patients if not available for treatment.  OCR goes further than the HIPAA breach notification regulations by advising that patients should be notified if there is high risk of unavailability of the data or high risk to the integrity of the data.  The regulations only require notification if the information has been acquired by an unauthorized third party, not just made inaccessible for use.

Encryption, which has been OCR’s “gold standard” in preventing a breach, is not golden when it comes to ransomware and other malicious attacks.  Generally, HIPAA breach notification provisions apply only to “unsecured PHI,” i.e., data that is not secured in a manner consistent with OCR guidance.  Covered entities and business associates should determine whether attacked ePHI was already encrypted before the attack in a manner that complies with OCR’s Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals.  However, this is not the end of the inquiry.  Before issuing this Fact Sheet, OCR’s announced position had been that ePHI that was encrypted before the “security incident” pursuant to the aforementioned Guidance relieved an entity from conducting a LoProCo analysis and providing breach notification.  However, HIPAA-covered entities can no longer rely on encryption as the gold standard to avoid breach notification. 

Even if the PHI is encrypted in accordance with the aforementioned Guidance, OCR says additional analysis may still be required to ensure that “the encryption solution, as implemented, has rendered the affected PHI unreadable, unusable and indecipherable to unauthorized persons.”  OCR points out that some forms of encryption, particularly full disc encryption, may not protect PHI when the computer device is powered on and in use by an authenticated user.  For example, when the computer user clicks on a malicious link in a phishing email that downloads malicious code, the entity will have to conduct a further assessment of whether the ePHI was readable by the intruder while the computer was in use and attacked.  In other words, if an authorized computer user has unlocked PHI in order to use it, the entity must assess whether the hacker could have accessed and viewed the PHI in the user’s computer files or files on an infected network.  For a discussion of data-at-rest encryption that can potentially expose PHI when devices are powered on, seeThe true story of data-at-rest encryption & the cloud,” by Karen Scarfone, published by Armor (2016).

Employ security measures to protect against ransomware, including education of your workforce.  The Fact Sheet reiterates HIPAA’s requirement to provide security awareness training to the workforce, including training for detecting and reporting instances of malicious software.  Educate your workforce on the following ransomware indicators:

  • a realization by the user that he or she clicked on a link, opened a file attachment or visited a website that may have been malicious in nature;
  • an increase in activity in the central processing unit (CPU) of a computer and disk activity for no apparent reason (due to the ransomware searching for, encrypting and removing data files);
  • an inability to access certain files as the ransomware encrypts, deletes and re-names and/or re-locates data; and
  • detection of suspicious network communications between the ransomware and the attackers’ command and control server(s) (this would most likely be detected by IT personnel via an intrusion detection or similar solution).

As set forth in the Fact Sheet, some of the same security measures that help covered entities and business associates comply with HIPAA can help them recover from infections of malware, including ransomware.  HIPAA-covered entities should ensure that they have security incident procedures in place that include steps for responding to and reporting of security incidents.  Entities also should implement a data backup plan and other contingency or business continuity plans (preferably with backups stored separately and offline).

For additional technical guidance about ransomware, click here to read a June 20, 2016 letter from HHS Secretary Sylvia M. Burwell enclosing two helpful documents, “Ransomware:  What It Is and What To Do About It” and “How to Protect Your Networks from Ransomware.”

Leave a reply. Please note that although this blog may be helpful in informing clients and others who have an interest in information privacy and security, it is not intended to be legal advice. The information on this blog also should not be relied upon to form an attorney-client relationship.

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s