The topic of ransomware, especially ransomware hitting healthcare organizations, is making headlines daily. Dan Munro has a very good article over at Forbes that asks an important question:
Is Ransomware Considered A Health Data Breach Under HIPAA?
David Harlow, Principal – The Harlow Group, LLC, whose insight into HIPAA law I respect greatly, states:
Ransomware has just recently come to the fore as a threat to the healthcare industry and it challenges our collective instincts about what should be considered data breaches under HIPAA. We need to remember that HIPAA is narrowly drawn and that a breach is defined as the unauthorized “access, acquisition, use or disclosure” of PHI. In many cases, ransomware “wraps” PHI rather than breaches it. This may explain why there are so few public reports of ransomware in healthcare – there is no obligation to report these incidents to OCR
I agree with David that ransomware, as we know it today, would not result in a reportable breach because the data is not accessed or viewed but only encrypted.
Keep in mind that when HIPAA regulations were written no one was thinking about ransomware. In fact, the iPhone had not even been invented when the HIPAA Security Rule was published (yep HIPAA is that old!)
But we are seeing new ransomware that is pulling information such as the amount of records encrypted so they can charge a higher ransom. Ransomware in the future may technically access PHI and cause a data breach. So the questions that need to be answered are:
Can the organization prove that the data was not accessed?
Do they have the technical controls in place to “see” if the data was accessed or transferred outside of the network?
We are starting to see ransomware that infects a system but sits dormant for a while and loads other types of malware that may access data / PHI or allow access by a third party. These types of attacks would result in a reportable breach. Again the question is: can the organization “prove” that the ransomware attack just encrypted the data and did not access the data?
According to Health and Human Services (HHS) a breach is:
Definition of Breach
A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information. An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:
- The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
- The unauthorized person who used the protected health information or to whom the disclosure was made;
- Whether the protected health information was actually acquired or viewed; and
- The extent to which the risk to the protected health information has been mitigated.
I highlighted the above items because I believe that in the case of ransomware, the organization has to prove that the data and PHI was not accessed or acquired. This is critical to determining if the attack would result in a reportable breach.
As David Harlow stated, your run-of-the-mill, ransomware wraps the data or encrypts the data. The data is never moved from the server or desktop (acquired) and the data is never viewed by a person or organization outside of the covered entity or business associate. Therefore the ransomware attack would not be considered a reportable breach under HIPAA regulations.
But as I mentioned, more sophisticated ransomware is starting to show up. And as ransomware evolves and starts copying data off of servers or desktops and/or starts loading other malware that may capture keystrokes or allow access to a system by a third party, breach determination is not so cut and dry.
It is generally accepted that if a laptop that contains PHI is lost or stolen and the data is not encrypted (or the encryption key is written on a yellow sticky-note that is attached to the laptop) the result would be a reportable breach to all affected individuals.
Now if the laptop was found or returned, it is the responsibility of the organization to “prove” that the data that was on the laptop was not accessed or viewed. If the organization cannot prove that the data was not accessed or viewed it is generally accepted that the result would be a reportable breach. The organization might use forensics to help determine if anyone powered-on the laptop, logged into the laptop, access data on the laptop, copied data off of the laptop, etc. Without the help of forensics it would be very difficult to determine if the data on the laptop was viewed or accessed.
Apply to Ransomware
To determine if a ransomware attack would result in a reportable breach, we can use the same methodology that we used to determine if a stolen or lost laptop would result in a reportable breach. Can forensics help determine if the ransomware allowed a third party access to the organization’s network? Did the third party view or access PHI? Did the ransomware copy PHI off of the organization’s network? Which PHI was copied?
The problem that organizations may face is that they may not be setup to answer the questions regarding whether ransomware viewed or accessed PHI. Forensics would need to look at log files of access to data and PHI, traffic moving from a network through the firewall and to outside servers, etc.
Without the help of forensics would the organization have to assume the ransomware viewed or acquired the data just like in the case of a lost or stolen laptop?
No Black or White Answer
Everyone looks at HIPAA regulations and wants a black or white answer. Is this a breach? Is this not a breach? Unfortunately HIPAA is not black or white but very, very grey. The regulations are left to interpretation. In the case of ransomware, as we know it today and as it evolves tomorrow, there might not be a black or white answer. We may need guidance from OCR into how breach determination needs to be addressed with regard to ransomware.
One thing is very clear – ransomware is here to stay and will only get worse!