New HIPAA Guidance on Ransomware: OCR’s encryption “gold standard” is no longer “golden”

By Margaret Young Levi and Kathie McDonald-McClure

softwareRansomware encrypts a user’s data and denies access to that data until a ransom is paid. The U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has released new guidance to help health care entities better understand and respond to the ever-increasing threat of ransomware.  On July 11, 2016, HHS posted a blog entitled “Your Money or Your PHI: New Guidance on Ransomware.”  The HHS blog post includes a Fact Sheet for health care entities regarding ransomware.  This blog post highlights some of the more striking points in the OCR Fact Sheet and considerations for entities subject to HIPAA in addressing ransomware attacks.

Ransomware can cause harm beyond denying access to data.  The OCR Fact Sheet provides useful technical details about how ransomware malware works, and notes that data can be exfiltrated (i.e., transferred outside the computer network system).  Exfiltration can occur before or after the ransomware attack that encrypts the data.  It depends on the type of malware employed in the attack.  An April 2016 ransomware report from the Institute for Critical Infrastructure Technology (ICIT) provides even more technical details about the types of ransomware currently in use.  The ICIT report states that advanced persistent threats (APTs) and other hackers interested in collecting confidential data use ransomware as a form of distraction while stealthily using other malware to exfiltrate data.

The use of ransomware has skyrocketed.  According to OCR, the number of ransomware attacks has risen steeply in the last year, from an average of 1,000 per day in 2015 to an average of 4,000 attacks daily since January 1, 2016, including some very public attacks on hospitals.  Hospitals and other health care providers are especially vulnerable to Continue reading