Earlier this year we wrote about ransomware (a type of malicious software that takes data hostage), and its alarming rise in the health care sector (you can read the article here). In response to this growing threat (a recent government report found an average of 4,000 ransomware attacks every day this year), the U.S. Department of Health and Human Services’ Office for Civil Rights has issued new HIPAA guidance. The guidance discusses how covered entities and business associates should protect against and respond to ransomware.

Most of OCR’s advice isn’t new. The HIPAA Security Rule already requires security measures to prevent the introduction of malware, which includes ransomware. Key security measures include: conducting a risk analysis, mitigating or remediating identified risks, implementing procedures to detect malware, training staff members on detecting and reporting malware, and limiting access to electronic protected health information (ePHI) only to those people who need it.

Another element of the Security Rule is the requirement for a disaster contingency plan, which should include data backup, emergency operations planning, and data recovery. In the context of ransomware, maintaining frequent data backups will make it much easier to recover from an attack. OCR notes that ransomware can disrupt online backups, so entities should consider maintaining offline backups.

Finally, HIPAA requires entities to have procedures in place for dealing with security incidents. These procedures should address detecting, containing and removing the malware; remediating the vulnerabilities that allowed the attack; restoring data and normal operations; and, when appropriate, reporting the incident.

OCR also points out that the requirements of the Security Rule are a floor, not a ceiling, and that entities are encouraged to adopt even more rigorous protections.

Perhaps the most notable part of the guidance makes clear that ransomware can be both a security incident and a breach. First, the mere presence of ransomware is a “security incident” as defined by the HIPAA Security Rule, and therefore covered entities and business associates must respond to ransomware in accordance with their security incident procedures. Further, ransomware may also result in a breach of protected health information in violation of the HIPAA Privacy Rule, which would require additional notifications and responses. If a ransomware attack is successful in encrypting the entity’s ePHI, a breach has occurred because the data was disclosed to an unauthorized person. However, if the entity can demonstrate that there is a “low probability that the PHI has been compromised,” based on a post-incident risk assessment, then it would not be a reportable breach. For example, if the data was properly encrypted at the time of the attack, it would not be a breach; but this is a fact-specific determination based on the encryption solution in place at the time.

The primary takeaway from the guidance is the reminder that organizations must develop and implement security incident procedures to respond to the threat of ransomware, along with whatever new forms of malware the hackers dream up next.

The complete guidance can be found here: http://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf