Issue link: http://viewer.e-digitaledition.com/i/717396
AN INCREASING NUMBER OF HOSPITALS AROUND THE COUNTRY HAVE BEEN CRIPPLED BY RANSOMWARE ATTACKS. UNTIL RECENTLY, HOSPITALS AND OTHER HEALTHCARE FACILITIES WERE UNSURE WHETHER THESE MALWARE INFECTIONS WERE REQUIRED TO BE REPORTED AS BREACHES OF HIPAA. RECENT GUIDANCE ISSUED BY THE UNITED STATES DEPARTMENT OF HEALTH AND HUMAN SERVICES OFFICE FOR CIVIL RIGHTS ¤OCR¥ SIGNALS THAT THESE ATTACKS DO, IN FACT, CONSTITUTE BREACHES UNDER HIPAA AND TRIGGER BREACH NOTIFICATION PROCESSES BY HIPAA¡COVERED ENTITIES AND BUSINESS ASSOCIATES. RANSOMWARE IS MALICIOUS software, or malware, that attempts to prevent users from accessing their data by locking their devices or by encrypting the data with a key known only to the hacker. Once the data is locked or encrypted, the hacker demands that the authorized users pay a ransom in order to unlock or decrypt the data. Ransomware is of particular concern to hospitals and other healthcare facilities that require quick and ongoing access to patient information to provide quality, often urgent, patient care. Hospitals and other healthcare facilities have become ransomware attack targets. Met hod i s t Hospit a l i n Hender son , Kentucky, recently was forced to operate in an internal state of emergency after its internal network was infected by the "Locky" strain of ransomware. Locky encrypts a user's files so the files can no longer be opened by the user's normal programs until a "ransom" is paid. The Locky ransomware was also used to col lect a $17,000 "ra nsom" f rom Hollywood Presbyterian Medical Center in California. The attack on Hollywood Presby terian involved hackers using malware to infect the hospital's computers, preventing hospital sta‡ from being able to communicate from the infected devices for days. As a result of the increased frequency of cyberattacks on hospitals and other health- care facilities, the OCR recently released guidance on ransomware, known as OCR R a n s omw a r e G u id a nc e . T he O C R Ransomware Guidance describes ransom- ware attack prevention and recovery steps and how HIPA A-covered entities and business associates should manage ran- somware from a HIPAA perspective. The OCR Ransomware Guidance advises healthcare organizations that compliance with the HIPAA security rule will help to prevent ransomware attacks. For example, the HIPAA security rule requires a health- care organization to conduct a risk analysis to identify threats and vulnerabilities to its electronic health information and also to implement security measures to address the identified risks. This would include implementing procedures to guard against and detect malicious software. HIPAA compliance can also help HIPAA- covered entities and business associates recover from ransomware attacks. For example, the HIPAA security rule requires organizations to maintain contingency and business continuity plans in the event access to their data is denied. Therefore, in the event of a ransomware attack, HIPAA-compliant organizations are more likely to be able to activate already-in-place emergency operations and data restoration plans so as to continue their business operations while responding to and recov- ering from a ransomware attack. The OCR Ransomware Guidance pro- v ide s a l i s t of r a n somw a re at t a ck indicators¯that should be included as part of a n¯ orga nization's HIPA A security workforce training. It also provides sug- gested steps a healthcare organization should take as¯part of its security incident response activities. The OCR Ransomware Guidance high- lights the OCR's determination that a ransomware attack that causes encryption of the organization's electronic health information constitutes a "breach" under HIPAA. OCR reasons that in such a case, there is, in e‡ect, an unauthorized disclo- sure of the data because unauthorized individua ls have taken possession or control of the data. Unless the covered entity or business associate can demonstrate there is a low probability that the data has been compromised, the organization must comply with the HIPAA breach notification rule, including notifying all a‡ected indi- viduals of the breach. In the event of a ransomware attack, covered entities and business associates mu s t conduc t a r i sk a s ses sment t o determine whether there is a low prob- a b i l i t y t h a t t h e d a t a h a s b e e n compromised as a result of the attack. Pursuant to the HIPA A breach notifica- tion rule, the assessment must include at least the following four factors: + The nature and extent of the electronic health information involved, including the types of data identifiers and the likelihood of re-identification + The unauthorized person who used the health information or to whom the d i s c l o s u r e o f t h e i n f o r m a t i o n was made + Whether the information was actually acquired or viewed + The ex tent to which the risk to the information has been mitigated If an ana lysis using the above factors indicates the data ha s been compro- mised, entities must provide notification to a‡ected individua ls without unrea- sonable delay. In light of the recent cyberattacks against hospitals, the OCR Ransomware Guidance should be reviewed by all HIPAA-covered entities and business associates. In addi- tion, these entities must ensure that their policies and procedures are compliant with HIPAA, including the HIPAA security and breach notification rules. Maureen Dunn McGlynn, JD, is a mem- ber of CCBLaw, a boutique law firm focused on providing counsel to physicians and other healthcare professionals. She can be reached at 315-477-6276 or mmcglynn@ ccblaw.com. ■ Addressing Ransomware as Part of Your HIPAA Compliance Program BY MAUREEN DUNN MCGLYNN, JD 2 2 2 2❱❱❱❱❱ L E G A L E A S E