Ransomware: The Latest Trend in HIPAA Breaches

ransomwareJeremy HenleyBy Jeremy Henley, director of breach services, ID Experts

Ransomware is the new black in healthcare cyber-attacks. Hospitals and health systems from California to Maryland were hit with ransomware attacks in the first half of 2016. The ransomware epidemic has led to many debate as to whether or not this type of attack constitutes a legally reportable data breach under HIPAA. The debate is over.

The U.S. Department of Health and Human Services says yes—mostly. A data breach occurs when a ransomware attack causes electronic protected health information (PHI) to become encrypted. That’s because the encrypted data was acquired, and is thus an impermissible disclosure under the HIPAA Privacy Rule.

“Unless the covered entity or business associate can demonstrate that there is a ‘…low probability that the PHI has been compromised,’ based on the factors set forth in the Breach Notification Rule, a breach of PHI is presumed to have occurred,” HHS stated in its recently issued guidance.

To determine this low probability, a HIPAA covered entity or business associate must perform an incident risk assessment using at least these four factors:

  • The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
  • The unauthorized person who used the protected health information or to whom the disclosure was made;
  • Whether the protected health information was actually acquired or viewed;
  • The extent to which the risk to the protected health information has been mitigated.

HHS suggested that “a thorough and accurate evaluation of the evidence acquired and analyzed as a result of security incident response activities could help entities with the risk assessment process.” The agency also noted that there are other factors “may indicate compromise” and may have to be considered, such as a high risk of data unavailability or high risk to the data’s integrity.

In addition, HHS pointed out that the breach notification provisions of HIPAA only apply to unsecured PHI. “Fact-specific” determinations are required for situations where ransomware was only present on a system, or if the ransomed data was previously encrypted as per HHS guidance.

The Lowdown on Ransomware

Ransomware is a particularly nasty form of malware that gains access to a computer system and makes either the system or the data inaccessible, then attempts to extort payment from the owner in return for returning access. Often there is a limited time to pay, after which the data will be permanently lost, and the payment is typically in some kind of untraceable cyber currency such as Bitcoin.

According to an interagency federal guide, How to Protect Your Networks from Ransomware, there has been, on average,  more than 4,000 ransomware attacks daily since the start of 2016. That’s a 300-percent increase over last year. It’s for good reason that in Ponemon Institute’s Sixth Annual Benchmark Study Privacy and Security of Healthcare Data, ransomware attacks ranked second out of all cyber-attack concerns.

Is Ransomware a Reportable Breach? Experts Weigh In

David Harlow, principal of The Harlow Group, wrote in a recent blog post, “Viewing a ransomware attack as a ‘disclosure’ seems to me to be a stretch (since at the heart of most ransomware attacks is an encryption, not a disclosure), and the savings clause is notoriously difficult to apply because the key term, ‘compromised,’ is not defined.”

He added that the four-factor compromised standard is “an intensely fact-specific inquiry.” The government, he wrote, is “suggesting that the default position should be that a ransomware attack is a reportable breach under the HIPAA Privacy Rule…. The ramifications are quite concrete: a conclusion of whether or not to proceed with public reporting of a data breach depends on the outcome.”

In his April HealthITSecurity article, Jack Danahy co-founder and CTO of the endpoint security company Barkly, disagreed, saying that ransomware attacks should be considered reportable breaches. He wrote that such an attack is “every bit as dangerous as the outright theft” of the electronic device that is infected.

He said that more than 100 of the breaches reported to HHS in 2015 were disclosed because a criminal got control of a system that held PHI. “There is no need to verify that the information stolen in this manner is ever accessed or used; the existence of this important information in the hands of a criminal is enough of a threat that it must be reported,” Danahy wrote.

Such losses, he said, must be reported because the systems and PHI being accessed are no longer in the healthcare provider’s control. “This sounds a lot like ransomware,” he added.

Ransomware Reporting, Sir!

Whether or not you agree that ransomware should be a reportable breach under HIPAA, be prepared to conduct an incident risk assessment should your organization be the victim of an attack. Given the statistics, that may happen sooner rather than later.

[clickToTweet tweet=”Ransomware: The Latest Trend in HIPAA Breaches” quote=”Ransomware: The Latest Trend in HIPAA Breaches” theme=”style3″]


  1. I fail to understand the confusion that so many people are attributing to this. Personally, my only confusion was that from HHS-OCR’s perspective (which is one we all need to take heed since they are in essence the “rule makers” and would assess us on following the rules that they establish) which of the four “impermissibles” does a successful ransomware attack (as we know, there are ways to thwart a ransomware attack) represent.

    Now that we know HHS-OCR sees this as an impermissible acquisition (perhaps some folks may or may not agree…but I say…just let it go…like the song says in “Frozen”)…it is just as any other “impermissible” which means it is presumed to be a breach unless a risk assessment determines a LoProCo (low probability of compromise).

    It’s as simple as that….so to those who are filling reams of virtual paper on pages of blogs and webs which I think is confusing people more than not…I say the message goes like this in 50 words or less.

    HHS-OCR has determined that a ransomware attack represents an impermissible acquisition. Therefore, given the presumption of a breach, it triggers the required notifications or a covered entity or business associate as applicable may conduct a risk assessment to determine there is a LoProCo.

    • “it triggers the required notifications or a covered entity or business associate as applicable may conduct a risk assessment to determine there is a LoProCo…”

      And that’s where you get stuck under this guidance.

      You rarely, if ever, will be able to satisfy the 2nd of the 4 minimum factors to be considered for a LP of C. You’ll always be stuck with a “HIGH” mark there since all malware/ransomware attackers anonymous or not, would be considered bad actors.

      Is scoring 75% on the security risk assessment pop quiz good enough to declare a LP of C?

      If not, it’s a breach.

Comments are closed.