HHS Publishes Ransomware Guidance

HHS has published guidance for hospitals and other covered entities in light of recent prominent ransom attacks on hospital data.  The Q&As address Security Rule safeguards which can prevent ransomware and other malware, and also assist in identifying, investigating, responding to and mitigating ransomware attacks. Specifically, HHS notes that the presense of ransomware or any malware on a covered entity or its business associate's systems is a "security incident" as defined under HIPAA.  HHS also notes that, although a breach determination is a fact-specific inquiry,

When [ePHI] is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a "disclosure" not permitted under the HIPAA Privacy Rule.

Unless the covered entity or business associate can demonstrate that there is a "...low probabilkity that the PHI has been compromised," based on the factors set forth in the Breach Notification Rule, a breach of PHI is presumed to have occurred.

HHS provides the following examples for consideration as part of the risk assessment which must be conducted to determine whether there is a low probabiity that the ePHI was compromised:

  •  the exact type and variant of malware discovered;
  • algorithmic steps undertaken by the malware
  • communications, including exfiltration attempts between the malware and attackers' command and control services
  • whether the malware propagated to other systems, potentially affecting additional sources of ePHI. 

HHS further states,

Correctly identifying the malware involved can assist an entity to determine what algorithmic steps the malware is programmed to perform.  Understanding what a particular strain of malware is programmed to do can help determine how or if a particular malware variant may laterally propagate throughout an entity's enterprise, what types of data the malware is searching for, whether or not the malware may attempt to exfiltrate datam or whetheror not the malware deposits hidden malicious software or exploits vulnerabilities to provide future unauthroized access, among other factors. 

The full ransomware guidance can be found here.