n the first half of 2016, California and Maryland were the first states to experience ransomware attacks in hospitals and health systems. Furthermore, according to HHS, a recent U.S. government interagency report indicates that, on average, there have been 4,000 daily ransomware attacks since early 2016, a 300 percent increase over previous years.
Ransomware is a type of malicious software that gains control over a user’s data, typically by encrypting the data with a key only known to the hacker who has control. In such circumstances, the user is not given the key until a ransom is paid, usually via a cryptocurrency such as Bitcoin.
Determine if ransomware constitutes a breach under HIPAA
HHS stated in its recently issued guidance, “Unless the covered entity or business associate can demonstrate that there is a ‘…low probability that the PHI has been compromised,’ based on the factors set forth in the Breach Notification Rule, a breach of PHI is presumed to have occurred.” So, how does a covered entity or business associate determine low probability?
The guidance provided by HHS states that in order to determine whether or not there is a low probability the covered entity or business associate must perform an incident risk assessment using at least the four factors listed below. Keep in mind that HHS encourages entities to consider additional factors, ‘…to appropriately evaluate the risk that the PHI has been compromised’.
Four factors that must be considered during the risk assessment to determine low probability
- the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
- the unauthorized person who used the PHI or to whom the disclosure was made;
- whether the PHI was actually acquired or viewed; and
- the extent to which the risk to the PHI has been mitigated.
According to HHS guidance, entities and business associates security incident response policies and procedures must be ‘reasonable and appropriate’ to respond to malware, including ransomware, attacks as well as other security incidents.
HHS goes on to state that, “a thorough and accurate evaluation of the evidence acquired and analyzed as a result of security incident response activities could help entities with the risk assessment process.” The agency explained that other factors “may indicate compromise,” such as a high risk of data unavailability or high risk to the data’s integrity.
Given the staggering statistics and sharp spike in ransomware attacks in just one year, an attack may happen sooner rather than later. You’ll need to be prepared to conduct an incident risk assessment if your organization becomes a victim and you must have the proper policies and procedures in place to help determine whether a breach has occurred. For more information, HHS has created a fact sheet on ransomware.
Ensure staff receives periodic HIPAA training
Keeping your staff up-to-date on the latest compliance rules is one of your organization’s best defenses against HIPAA violations. Availity’s on-demand, online HIPAA training courses are a cost-effective way to ensure your staff is up-to-date.
The information in this article is for general information purposes only and is not intended to be, and should not be interpreted to be, legal advice.