Ransomware and HIPAA: trends and what to do

Female staff member holding HIPAA sign with a Ransomware image next to her.

Ransomware attacks in the healthcare industry have become increasingly common in recent years, threatening patient care, disrupting daily operations, and possibly compromising protected health information (PHI). Under HIPAA rules, organizations must take steps to protect PHI and be prepared for the consequences should a data breach occur. This post will explore the significant issues around ransomware and HIPAA, the latest trends, and what you need to know about dealing with this serious threat.

In this Article …

What is the purpose of a ransomware attack on a healthcare facility?

The purpose of a ransomware attack on a healthcare facility is typically to encrypt the facility’s data and demand a ransom payment in exchange for the decryption key. The attackers may also threaten to publicly release or sell the stolen data if their demands are not met. These attacks can cause significant disruption to the facility’s operations and put patient health and safety at risk.

Ransomware in the healthcare sector is rising

According to a recently published study in the Journal of the American Medical Association (JAMA), during the five-year period of 2016 – 2021, there were 374 ransomware attacks on U.S.-based healthcare delivery organizations. Furthermore, the study highlighted the fact that the trend is clearly escalating, with the number of attacks in 2016 (43) more than doubling in 2021 (91). And during this span, the PHI of some 42 million patients was exposed.

As one might expect, Hospitals were the most frequent targets of ransomware incidents. However, these attacks have been spread across the spectrum of the industry including post-acute care, ambulatory surgery centers, dental practices, clinics, behavioral health centers, and other healthcare entities.

The nature of ransomware incidents in healthcare is changing

Becker’s Hospital Review identified a ransomware attack back in 1989 as the first in the healthcare space. It involved a single perpetrator and Trojan Horse malware that had been placed on 20,000 floppy disks distributed to AIDS researchers.

Today’s cyberattacks against healthcare entities are more advanced and coordinated. Threats are no longer limited to individual hackers but now involve organized groups, sometimes even with government backing. They also have a capacity for uncovering vulnerabilities faster than tech teams can fix them. And ransom payments are often required to be made via cryptocurrency, making tracing elusive. What’s more, as pointed out in an article published by the American Hospital Association, it’s no longer just computer systems facing attacks. In this “connected world” hackers now will often times target diagnostic equipment and medical devices.

While single healthcare entities are typically targeted, 2017’s WannaCry ransomware was a coordinated global attack that struck businesses of all sorts, healthcare included. The National Health Service hospitals in England and Scotland were among the hardest-hit victims of the massive cyberattack – with potentially 70,000 devices, including computers, MRI scanners, and refrigerators used to store blood all affected.

What does Health and Human Services say about ransomware and HIPAA?

In 2016 Health and Human Services (HHS) Office of Civil Rights (OCR) published a Fact Sheet offering HIPAA guidelines for Ransomware incidents. In it, they clearly stated that …

“Unless the covered entity or business associate can demonstrate that there is a ‘…low probability that the PHI has been compromised,’ based on the factors set forth in the Breach Notification Rule, a breach of PHI is presumed to have occurred.”

Given the above, there are potentially two paths to pursue.

  1. Follow the applicable incident and response reporting procedures and conduct a thorough assessment of the incident.
  2. Possibly prepare to demonstrate that there is a low probability that PHI has been compromised.

Let’s look at both.

Ransomware attack and breach of PHI

45 C.F.R. 164.304 defines security incidents as, “… the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.” Consequently, upon discovering a security incident, that covered entity or business associate needs to execute their incident and response reporting procedures as required by HIPAA. Per HHS, such action should begin with the following …

  • determine the scope of the incident to identify what networks, systems, or applications are affected;
  • determine the scope and get a comprehensive grip on the incident by uncovering which networks, systems and applications have been targeted,
  • determine the origination of the incident (who/what/where/when)
  • determine whether the incident is finished, is ongoing or has propagated additional incidents throughout the environment; and
  • determine how the incident occurred (e.g., tools and attack methods used, vulnerabilities exploited).

Once these initial steps have been completed the entity will be better positioned to prioritize further action.

Next, a more thorough analysis of the security incident and the extent of its impact will need to be undertaken. HHS recommends the following be included in such an analysis …

  • contain the impact and propagation of the ransomware;
  • eradicate the instances of ransomware and mitigate or remediate vulnerabilities that permitted the ransomware attack and propagation;
  • recover from the ransomware attack by restoring data lost during the attack and returning to “business as usual” operations; and
  • conduct post-incident activities, which could include a deeper analysis of the evidence to determine if the entity has any regulatory, contractual or other obligations as a result of the incident (such as providing notification of a breach of protected health information), and
  • incorporating any lessons learned into the overall security management process of the entity to improve incident response effectiveness for future security incidents.

As can be seen in that list, part of this more thorough analysis includes making a determination about whether or not there was a breach of PHI resulting from the security incident. If there was, then all of the necessary steps outlined in the HIPAA Breach Notification Rule will need to be carried out, such as notifying the affected individuals without unreasonable delay, the Secretary of Health and Human Services (HHS), and state officials such as an Attorney General if required.

In response to the notification of breach, OCR may conduct an investigation to determine if adequate measures were in place at the time of the incident. This includes active HIPAA compliance plans, and how well implemented they were. Findings from this investigation will determine the level of culpability that the entities have. Mandatory financial penalties may apply. These penalties can be waived, but it is solely at the discretion of the OCR to do so.

If a breach of PHI is not clear, then we refer back to the HHS stance stated earlier, where the presumption is that there was a breach … unless it can be demonstrated that there is a low probability.

Demonstrating low probability that PHI has been compromised in a ransomware attack.

45 C.F.R. 164.402(2) is where we find information about what is expected to be included in a demonstration that a ransomware incident had a low probability that PHI had been compromised. Specifically, it states that a risk assessment must be conducted and that it must contain at least the following factors …

  • The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
  • The unauthorized person who used the protected health information or to whom the disclosure was made;
  • Whether the protected health information was actually acquired or viewed; and
  • The extent to which the risk to the protected health information has been mitigated.

The depth and detail of the risk assessment can further help to support a case of low probability. This is because doing so may uncover very specific details about the nature of the malicious software used. Knowing what it does, how it does it, and what it does not do can potentially demonstrate, to a trusted degree, that PHI was very likely not compromised. So having capable technical support to ferret those details out can be invaluable.

In the HHS fact sheet about Ransomware and HIPAA, they offer the following suggestions for these sorts of details …

  • the exact type and variant of malware discovered;
  • the algorithmic steps undertaken by the malware;
  • communications, including exfiltration attempts between the malware and attackers’ command and control servers; and
  • whether or not the malware propagated to other systems, potentially affecting additional sources of electronic PHI (ePHI). Correctly identifying the malware involved can assist an entity to determine what algorithmic steps the malware is programmed to perform.

Additionally, in those circumstances where ransomware accessed PHI, there is now a question about the integrity of that PHI. In this case, since part of the requirement for demonstrating low probability of compromise is mitigation, having and demonstrating well-designed and active contingency plans that are in place for disaster recovery can be very meaningful and helpful here.

With such an investigation, the covered entities and business associates will need to maintain any and all documentation that lends support to their findings as their burden of proof will rely on those details.

Was the PHI encrypted prior to the ransomware incident?

The HIPAA Breach Notification Rule applies to unsecured PHI. This refers to PHI that’s not already secured by some form of approved encryption. But what if the PHI was already encrypted and the ransomware applied secondary encryption? It seems as if this scenario would mean that the entity attacked would not be required to conduct a risk assessment to determine low probability and that there would be no need for a breach notification. However, according to HHS, this would be “a fact-specific determination”. Presumably, that determination would weigh heavily on the specific method of encryption used, and if it abides by the HHS Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals.

Best practices to avoid ransomware attacks in healthcare

In spite of the growing threat of cyber attacks, there are a number of proactive steps that a healthcare business can take to improve security, decrease potential vulnerabilities, and recognize a ransomware threat. Consider the following …

  • Implement antivirus and security software that includes intrusion detection
  • Require strong passwords, and that passwords be changed on a preset schedule
  • Regularly backup important files onto separate, secure networks
  • Block suspicious emails and websites
  • Keep critical medical devices separated from the larger network by digital firewalls
  • Utilize two-factor authentication (2FA) when possible
  • Prohibit the use of unsecured or public Wi-Fi networks
  • Disable RDP ports not in use by the network administrator
  • Establish processes to monitor logs regularly for suspicious activities
  • Ensure that all software is up to date with the most current patches

A ransomware event that results in a data breach is far more likely to happen when staff attitudes about security measures are lax. Covered entities that keep all team members aware and diligent have won half the battle. Consequently, ensuring that all staff is trained upon hire and annually thereafter on general technical safeguards and cybersecurity best practices should be a key component of any HIPAA compliance plan.

When you need proven expertise and performance