Ransomware is a huge issue today, across the globe, and throughout all industries. It is an ever-evolving threat as it morphs from one form to another, constantly chasing revenue streams as mitigating techniques lag behind. For HIPAA and Covered Entities, HHS requirements regarding proper responses and procedures to deal with specific threats such as ransomware also tended to lag behind the threat. Luckily for us, that guidance is now finally published.
Recently Redspin came across a scenario where we discovered ransomware-encrypted files on a server. We immediately reported this to our client and formulated a detailed recommendation. Apparently the entity was already aware of an initial ransomware incident, and may or may not have already detected this specific instance (the data may have been out of production).
The elephant in the room was, “Is a ransomware infection considered a breach?” followed by “What do we do?” No one was asking these questions though, so we broached the subject with them. More on that in a moment. While it is very typical that no one wants to ask these questions, imagine for a moment how many more breaches would be reported if the IT staff involved were more apt to err on the side of caution? But that takes us down another rabbit hole for another blog.
The good news here is that we now have a fairly straight-forward guidance from the HHS and OCR released earlier this year specifically concerning ransomware along with appropriate responses.
What do we do if we are a victim of Ransomware?
If you are a Covered Entity and you are a victim of Ransomware, no matter what type of data is involved, you must “invoke Security Incident Response procedures”. Incident Response includes immediately finding out the who, what, where, and how(s) of the incident, as well as to notify everyone on your incident response team, including your compliance officer (they should be on this team).
If you’re unsure about what to do for this type of security incident, HHS conveniently outlines a set of Incident Response procedures on pages 4 and 5 of the Ransomware and HIPAA Fact Sheet.
Back To The Elephant in the Room: Is Being a Victim of Ransomware Considered a Breach?
If you are a Covered Entity and if you are a victim of Ransomware AND if any of that data includes ePHI, then basically, it’s a breach. YES, it’s a breach.
I said, “basically” because there are some exceptions to the breach notification policy, and here they are:
- You have to prove that (through a risk assessment) there is a low probability that the PHI has been compromised. How do you do that? By performing a risk assessment that:
- Examines the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
- Identifies the unauthorized person who used the PHI or to whom the disclosure was made;
- Identifies whether the PHI was actually acquired or viewed (or uploaded!); and
- The extent to which the risk to the PHI has been mitigated.
As you can imagine, these exceptions would be nearly impossible to meet. Even if you were able to trace every data bit entering and exiting your network, and be able to review that from months ago, how are you going to prove that the hacker didn’t just write down the information or take a bunch of screen shots? You can’t.
The fact of the matter is that some hacker has accessed your ePHI, for who-knows how long, and legally an entity cannot second-guess intentions (i.e., they just wanted to ransom the data). That’s an assumption that the OCR will not buy. You must assume that the data has been compromised.
Our final recommendation concerning Ransomware incidents is this: when in doubt, invoke the Security Incident Response procedure and get all the parties involved who can then make the determination and decisions necessary to cover all of the bases and ensure appropriate actions are taken and all the documentation is in order.