OCR Publishes Guidance on Ransomware

On July 11, 2016, Jocelyn Samuels, Director of the Office for Civil Rights announced that a Factsheet with detailed guidance for Covered Entities and Business Associates on Ransomware had been published.

In this blog post we will discuss the 5 biggest takeaways from the published guidance.

What Are Our Big Takeaways from the Published Guidance?

1. If Ransomware encrypts ePHI, then it is a breach.

Under the rules, a breach is defined as “...the acquisition, access, use, or disclosure of PHI in a manner not permitted under the [HIPAA Privacy Rule] which compromises the security or privacy of the PHI.”ⁱ While first allowing that a ransomware attack is a “fact-based determination,” if ePHI is encrypted then, “a breach has occurred,” because the ePHI was “acquired.”

2. Breach notification procedures should be used to determine whether a breach must be reported.

Breach notification is not required if an assessment, applying a minimum of four specified factors, demonstrates a “low probability” that the ePHI was compromised by the ransomware attack. The “four factor” test relates to the extent of the breach, to whom the disclosure was made, whether the ePHI was acquired (likely “yes” based on the guidance) and the extent the risks were mitigate.

3. A comprehensive risk analysis is your first line of defense.

The guidance emphasizes that a risk analysis should be sufficiently comprehensive to address “all of the ePHI the entities create, receive, maintain, or transmit and to implement security measures sufficient to reduce those identified risks and vulnerabilities to a reasonable and appropriate level.” This language is lifted almost directly from the regulations so it’s not particularly groundbreaking, however, their area of emphasis and the example they use are both notable.

The results of a risk analysis should be used to reduce risks to a “reasonable and appropriate” level, which presumes that the risk analysis procedure identifies areas of weakness on your network, and processes that could be used for a ransomware attack. As an example, guidance uses a network device with outdated firmware.

“although there is a not a Security Rule standard or implementation specification that specifically and expressly requires entities to update the firmware of network devices, entities, as part of their risk analysis and risk management process, should, as appropriate, identify and address the risks to ePHI of using networks devices running on obsolete firmware, especially when firmware updates are available to remediate known security vulnerabilities.”

Is your risk analysis process sufficient enough to identify out-of-date firmware, or other technical vulnerabilities present on your network?

4. Data backup and contingency plans are your first line of recovery if you are attacked.

The contingency plan standard, of the HIPAA Security rules, requires covered entities to backup all of the systems containing ePHI, and to have documented procedures in place for restoring data from backup. In addition, the guidance recommends, that “because some ransomware variants have been known to remove or otherwise disrupt online backups, entities should consider maintaining backups offline and unavailable from their networks.”

Also, organizations should periodically test its contingency and backup procedures, “to verify the integrity of backed up data and provide confidence in an organization’s data restoration capabilities.”

5. Incident response procedures are crucial to mitigating and managing a ransomware attack.

The guidance on incident response is surprisingly robust and references NIST Guidance on the topic.ⁱⁱ The procedures suggest a detailed process that will allow your organization to detect, analyze, and contain the impact and propagation, and then eradicate the instances of ransomware. In addition, incident procedures should address the discovery and remediation of the vulnerabilities that allowed the attack to occur in the first place. And post-attack, a root cause analysis that determines the steps needed to be taken to prevent a similar attack in the future.

Stay tuned on Friday for our upcoming Q&A blog post that will cover some of our readers' most pertinent questions on ransomware.

 References:

i 45 C.F.R. 164.402
ii NIST SP 800-61 Rev. 2