HHS Publishes Ransomware Guidance

by | Jul 13, 2016 | Meaningful Use & Quality Payment Program

HHS Publishes Ransomware Guidance

HHS has published guidance for hospitals and other covered entities in light of recent prominent ransom attacks on hospital data.  The Q&As address Security Rule safeguards which can prevent ransomware and other malware, and also assist in identifying, investigating, responding to and mitigating ransomware attacks. Specifically, HHS notes that the presense of ransomware or any malware on a covered entity or its business associate’s systems is a “security incident” as defined under HIPAA.  HHS also notes that, although a breach determination is a fact-specific inquiry,

When [ePHI] is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a “disclosure” not permitted under the HIPAA Privacy Rule.

Unless the covered entity or business associate can demonstrate that there is a “…low probabilkity that the PHI has been compromised,” based on the factors set forth in the Breach Notification Rule, a breach of PHI is presumed to have occurred.

HHS provides the following examples for consideration as part of the risk assessment which must be conducted to determine whether there is a low probabiity that the ePHI was compromised:

  •  the exact type and variant of malware discovered;
  • algorithmic steps undertaken by the malware
  • communications, including exfiltration attempts between the malware and attackers’ command and control services
  • whether the malware propagated to other systems, potentially affecting additional sources of ePHI.

HHS further states,

Correctly identifying the malware involved can assist an entity to determine what algorithmic steps the malware is programmed to perform.  Understanding what a particular strain of malware is programmed to do can help determine how or if a particular malware variant may laterally propagate throughout an entity’s enterprise, what types of data the malware is searching for, whether or not the malware may attempt to exfiltrate datam or whetheror not the malware deposits hidden malicious software or exploits vulnerabilities to provide future unauthroized access, among other factors.

The full ransomware guidance can be found here.

 

Print Friendly, PDF & Email
Share this:

If you are not a subscriber to our backend Legal HIE compliance library, download our Table of Contents here to check out all of the tools, checklists, whitepapers, sample policies we make available to our members to help their organizations comply with Information Blocking, HIPAA, 42 CFR Part 2, Data Breaches and more. Ready to subscribe now? Click here to review our subscription options.

Archives