WannaComply? OCR’s Application of HIPAA’s Breach Notification Rule to Ransomware Attacks
By Sean Fernandes[1]
Organizations worldwide are facing a new cybersecurity plague: ransomware attacks such as the recent, widely publicized, and global WannaCry[2] and Petya[3] outbreaks. In the typical case, after users click on a malicious link, an attacker unleashes malware that encrypts files stored on the organization’s network and renders them inaccessible until a cryptocurrency ransom is paid.
For organizations subject to HIPAA,[4] including covered entities[5] and their business associates,[6] this new form of attack raises important questions about whether and how the law’s Privacy,[7] Security,[8] and Breach Notification[9] Rules might apply when ePHI[10] has been successfully targeted.
In June 2016, the Office of Civil Rights of the U.S. Department of Health and Human Services (“OCR”) offered answers to these questions in the form of a “Ransomware Fact Sheet.”[11] This article assesses the Fact Sheet and addresses what practical steps covered entities and business associates should take to meet OCR’s expectations and comply with the law.
Before an Attack
Even before a ransomware attack occurs, covered entities and business associates are required to consider it in their risk analysis and planning efforts. The Fact Sheet makes it clear that ransomware risks fall within the Security Rule’s requirement to develop a Security Management Process.[12]
Many ransomware attacks are triggered by a user clicking on a malicious link in an email.[13] Hence training and organizational awareness are critical to protecting against ransomware attacks. Making employees and workforce members aware of how to recognize and avoid malicious links, offering frequent reminders to not open any unexpected attachments, and running tests (such as sending internal emails that should arouse suspicion and judging responses), can help prevent ransomware from infecting an organization.
Additional preemptive safeguards should be to keep third-party software and operating systems up to date and to promptly apply security patches released by vendors. The WannaCry attack that affected the UK’s National Health Service exploited flaws in outdated operating systems that continued to run on NHS’s devices. Ensuring that information systems are kept up-to-date is a simple way to take advantage of software vendors’ efforts to maximize cybersecurity and prevent attacks.
Good data management, access controls, and encryption can also mitigate the effects of a ransomware. Some first steps would include storing sensitive data elements separately and limiting employee data access, based on job roles, to help prevent the spread of ransomware attacks.[14]
Additionally, frequently backing up data and storing back-ups separately can reduce the likelihood a ransomware attack will impair operations.[15]
It is also important to ensure that digital forensics processes (allowing for data recovery and investigation of the nature of malware) are both in place and workable after a breach. Breach response evaluations will depend on being able to assess the nature and scope of the attack.
Evaluating Notification Obligations
The Fact Sheet concludes that notification evaluations are fact-specific and should focus on whether a ransomware attack “compromises” ePHI. This helps resolve the question of whether HIPAA’s Breach Notification Rule[16] requires notification when ransomware encrypts ePHI, which was unresolved prior to the release of OCR’s Fact Sheet. However, in some areas, the analysis of the Notification Rule’s application is unclear.
The Notification Rule defines a breach as “[1] the acquisition, access, use, or disclosure of protected health information (“PHI”) in a manner not permitted under the [HIPAA Privacy Rule] which [2] compromises the security or privacy of the PHI.”[17]
Thus, determining whether a breach has occurred requires a two-step analysis. The first step is to determine whether an “acquisition, access, use, or disclosure,” has occurred. If it has, then the incident is what I call a “presumptive breach.”
The Fact Sheet concludes that a ransomware attack is a presumptive breach,[18] which places the burden of proof on covered entities and business associates.[19] To that end, the Fact Sheet articulates the view that the unauthorized encryption of ePHI is a “disclosure” of ePHI because “the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information).” This interpretation raises at least two questions.
First, OCR’s definition of ransomware states that its “defining characteristic is that it attempts to deny access to a user’s data, usually by encrypting the data.” OCR then concludes that this denial of access is a “disclosure” under the breach definition. HIPAA, however, defines a “disclosure” as “the release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information.”[20] Because the mere act of encryption does not spread the information outside the entity holding it, encryption would not by itself seem to be a “disclosure” for HIPAA purposes.
Second, the reasoning behind the Fact Sheet interpretation appears internally inconsistent. That reasoning would appear to support capturing ransomware under the “acquisition” prong of the definition, rather than the “disclosure” prong. OCR uses language like “acquired” and “possession or control” to frame the ransomware threat. The plain meaning of that language lends itself to an “acquisition” theory, rather than a disclosure one.
Regardless of any issues with the reasoning behind the presumptive breach conclusion, the Fact Sheet clearly expresses OCR’s view that ransomware attacks are presumptive breaches. Therefore, covered entities and business associates should focus on addressing the “likelihood of compromise” part of the breach inquiry.
The compromise inquiry consists of four factors: “1. the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; 2. the unauthorized person who used the PHI or to whom the disclosure was made; 3. whether the PHI was actually acquired or viewed; and 4. the extent to which the risk to the PHI has been mitigated.”[21] If the data has been compromised, a breach has occurred.
While the first three factors are relatively straightforward, OCR flags two issues to consider under the fourth factor. First, data back-ups and demonstrated verifications of its integrity will mitigate the risk in OCR’s view.[22] Second, a demonstration that no data has been exfiltrated will cut in favor of mitigating the risk, while an inconclusive or opposite finding will not.[23]
It is less clear what relative weight should be assigned to each of these factors. This is further complicated because covered entities and business associates carry the burden of proof should they elect not to notify, because OCR has found that a ransomware attack is a presumptive breach.[24] Therefore, those entities should focus investigative and remediation efforts on mitigation and determining whether the data was actually acquired. The mitigation efforts are at least partially in control of the attacked entity, allowing covered entities and business associates to take affirmative actions in response to ransomware. And while it will be difficult to prove there was no actual acquisition, such a demonstration could show that there is no risk of harm to consumers. Nevertheless, given that they carry the burden of proof, covered entities and business associates should make sure their conclusions have strong documentation supporting them.
The Fact Sheet also recommends examining several ransomware specific issues, including “the exact type and variant of malware discovered[,] the algorithmic steps undertaken by the malware[,] communications, including exfiltration attempts between the malware and attackers’ command and control servers[,] and whether or not the malware propagated to other systems, potentially affecting additional sources of electronic PHI (ePHI).”[25]
Conclusion
Whatever one thinks of the reasoning behind the Fact Sheet, there’s nothing to disagree with in its emphasis on proactive compliance with the Security Rule and assessment of the ransomware threat. While there some issues with the application of HIPAA’s breach definition to ransomware, OCR has clearly stated its position that ransomware attacks trigger notification obligations unless covered entities or business entities can prove no data was compromised.
[1] Sean Fernandes is an associate at Ellis & Winters, where he practices in privacy, data security and business litigation. The author would also like to thank Katherine Boyles, a student at the Duke University School of Law, for her contributions to this article.
[2] Sy Mukherjee, Why Health Care Is Especially Vulnerable to Ransomware Attacks, Fortune (May 15, 2017), http://fortune.com/2017/05/15/ransomware-attack-healthcare/; Damian Gayle, Alexandra Topping, Ian Sample, Sarah Marsh, and Vikram Dodd, NHS seeks to recover from global cyber-attack as security concerns resurface, The Guardian (May 13, 2017), available at https://www.theguardian.com/society/2017/may/12/hospitals-across-england-hit-by-large-scale-cyber-attack.
[3] United States Compt. Emergency Readiness Team, Multiple Petya Ransomeware Infections Reported, (July 6, 2017), https://www.us-cert.gov/ncas/current-activity/2017/06/27/Multiple-Petya-Ransomware-Infections-Reported.
[4] Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. §§ 300g, 1181 et seq., 1320d et seq., 45 C.F.R. §§ 160 et seq., 164 et seq.
[5] 45 C.F.R. § 160.103 (“Covered entity means: (1) A health plan, (2) A health care clearinghouse, (3) A health care provider who transmits any health information in electronic form . . . .”).
[6] Supra note 5 at 1 (An entity outside a covered entity’s workforce that “creates, receives, maintains, or transmits protected health information” in connection with HIPAA regulated activities).
[7] 45 C.F.R. §§ 160, 164.102-106, 164.500-534.
[8] 45 C.F.R. §§ 160, 164.102-106, 164.302-318.
[9] 45 C.F.R. §§ 160, 164.102-106, 164.400-414.
[10]“Electronic protected health information [ePHI] means” “individually identifiable health information . . . that is . . . [t]ransmitted by electronic media . . . [or] [m]aintained in electronic media.” 45 C.F.R. § 160.103.
[11] Office of Civil Rights, Dep’t of Health and Human Servs., Fact Sheet: Ransomware and HIPAA (2016), available at https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf.
[12] Supra note 11, § 2 at 1-2.
[13] See Id.
[14] See Id., § 2, 3.
[15] See Id., § 3.
[16] 45 C.F.R. §§ 164.400-414 (2017).
[17] 45 C.F.R. § 164.402 (2017).
[18] Supra note 11, § 6.
[19] 45 C.F.R. § 164.414 (2017).
[20] 45 C.F.R. § 160.103 (2017).
[21] 45 C.F.R. § 164.402 (2017).
[22] See Id.
[23] Id.
[24] 45 C.F.R. § 164.414 (2017).
[25] Supra note 11, § 7.