We’ve seen an increasing number of crypto-ransomware incidents targeting dentists and physicians in the last few weeks.
It’s a good time to review our Frequently Asked Questions about Ransomware and HIPAA.
If my IT company says that the patient data was just encrypted and not compromised, is it a breach?
Yes, it is a breach. According to the federal government, “When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a 'disclosure' not permitted under the HIPAA Privacy Rule.” [FACT SHEET: Ransomware and HIPAA https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf]
Before you panic, it doesn’t mean that you immediately have to notify your patients, the media, and Health and Human Services (HHS) that a breach has occurred. First, you have the opportunity to assess if there is a “low probability if the PHI has been compromised” by conducting and documenting a Breach Risk Assessment [45 CFR 164.402(2)].
How do I demonstrate “…that there is a low probability that the PHI has been compromised” such that breach notification would not be required?
For a crypto-ransomware breach, this requires an analysis of the incident, which may include an expert review of the files, logs, hard drives, device images, network logs, and other data. This review must be performed by an information security specialist with the experience and credentials required to make such a determination. If you can’t demonstrate a low probability that PHI has been compromised, you will need to follow the requirements of the HIPAA Breach Notification Rule (45 CFR 164.400-414) to notify the affected individuals (patients), the media, and the Secretary of Health and Human Services (HHS). https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html
If my IT person identifies the type of ransomware, is that enough?
While your IT person may be extremely knowledgeable about your information systems, they would need to be able to document their analysis and provide credentials that would satisfy a federal investigation or review. They would need to provide the documentation and evidence to support their determination of the type of ransomware along with evidence that the malware did not make an attempt to exfiltrate data (send it somewhere outside your network) or perform other unauthorized access of the information systems or data. They would also need to provide the methods they used to make this determination in writing.
What if I was unable to restore my PHI from backups?
If you are unable to restore PHI from backups, you must also assess the integrity and availability of the data. HIPAA requires covered entities to “Ensure the confidentiality, integrity, and availability of all electronic protected health information…” [45 CFR 164.306] If the data is decrypted using a decryption key, you must be able to verify the integrity of the data. If you are unable to recover patient files, then the PHI is not “available.” In either case, there is a higher probability that the PHI was compromised.
If it isn’t a breach, why do I need documentation?
Up to six years after the incident, the Office for Civil Rights (OCR), the agency that enforces HIPAA, can request a copy of your Breach Risk Assessment, including all of the expert analysis used to determine that it wasn’t a breach. If you can’t provide sufficient documentation dated immediately after the incident (within 30 days – so that you would still have time to meet the 60-day notification requirement if it was determined to be a breach), OCR may find you in willful neglect of the Breach Notification Rule. That can lead to huge penalties, like the $475,000 fine for lack of timeline breach notification: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/presence/index.html
How can the federal government find out that I had ransomware?
OCR opens investigations for breaches, so if your ransomware incident was part of a larger event that affected other healthcare providers, OCR may investigate the larger event if another office files a breach notification. OCR will also open investigations if a patient files a complaint on the OCR website (https://ocrportal.hhs.gov/ocr/smartscreen/main.jsf) , which can happen if a patient hears about the ransomware, had their appointment canceled due to the computers “being down,” or were unable to get their patient records.
Can I just do the breach risk assessment if I get asked for it later?
You can’t go back in time to do the breach risk assessment. Your breach risk assessment must be documented and dated immediately following the incident (within 30 days). An OCR investigation would most likely occur some months later, far too late to be in compliance with the 60-day breach notification requirements.
Is the breach risk assessment the only thing that I need to do?
You must perform (and document) your security incident response procedures, which may include updating or performing a new risk analysis, reviewing and updating policies and procedures, implementing additional security measures, and reviewing and updating your risk management plan. OCR may ask for multiple documents during an investigation and can ask for documentation that existed prior to the incident occurring as well as any corrective action performed as a result of the incident.
Also, if your breach risk assessment does not demonstrate a low probability that PHI was compromised, you must follow the requirements of the Breach Notification Rule to notify your patients, the media, and the Secretary of HHS.
Can you help us if we have a ransomware incident?
The LayerCompliance team can provide expert consulting services to assist you with your breach risk assessment and security incident response. However, our team cannot go back in time, so if you have a ransomware incident, contact us as quickly as possible so that we can help.