Cyber Risk Is Not Going Away

In a future that has become more ambiguous than ever, some things are certain. Businesses, including health care entities, will increasingly rely on data and technology in order to conduct their business.  Data containing personal information will continue to be valuable.  The risk of liability for those holding that data will remain, whether the enforcer is at the federal or state level in a regulatory action, or a private citizen filing suit.  Safeguarding data against cyber-attacks and other impermissible disclosures must continue to be a priority for those who use and share data.

In the healthcare world, HIPAA compliance is key.  An example is the November 22nd settlement between the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) and the University of Massachusetts Amherst (UMass). The settlement includes a corrective action plan and a monetary fine of $650,000 (which would have been more had UMass not been operating at a financial loss in 2015). The trigger for the enforcement action was a UMass workstation that became infected with a malware program, resulting in the wrongful disclosure of electronic protected health information (ePHI) of 1,670 individuals. The malware was a generic remote access Trojan that infiltrated the UMass system, providing unauthorized access to ePHI because UMass did not have a firewall in place.  OCR’s investigation found that UMass failed to conduct an accurate and thorough security risk analysis, failed to have adequate policies and procedures in place, and failed to implement technical security measures.

For healthcare entities and those who handle their data, HIPAA compliance not only is required by law, it is still the most certain way to protect against, prepare for, respond to, and mitigate the effects of a cybersecurity incident.

On Tuesday, December 13, 2016, from 7:30 a.m. to 12:30 p.m., Denise L. Sanders, Esq., will participate in the seminar “Cybercrime:  Facts, Threats, and Countermeasures,” held at Rowan University and hosted by Avasek.  The seminar includes presentations by Mike Geraghty, Director, NJ Cybersecurity & Communications Integration Cell; Philip Frigm, Supervisory Special Agent, FBI Newark Division; and Lt. Cy Bleistine, NJ State Police, Cyber Crimes Unit; along with David Humphreys, Avasek.  As part of an expert panel, Ms. Sanders will address HIPAA and HITECH compliance by healthcare providers facing cybersecurity threats.  To register, please click here.


It’s Not Just Ransomware – It’s a Breach!

Ransomware.  It’s in the headlines, but what is it?  Recently, the U.S. Department of Health & Human Services’ Office for Civil Rights (OCR) provided a layperson’s description:

Ransomware is a type of malware (malicious software) that attempts to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker who deployed the malware, until a ransom is paid. After the user’s data is encrypted, the ransomware directs the user to pay the ransom to the hacker (usually in a cryptocurrency, such as Bitcoin) in order to receive a decryption key.

The description is included in a Fact Sheet on Ransomware and HIPAA (the Health Insurance Portability and Accountability Act), containing OCR’s guidance to healthcare entities on how to guard against ransomware and how to respond to a ransomware attack. The Fact Sheet notes that, on average, there have been 4,000 daily ransomware attacks since early 2016, a 300% increase over the 1,000 daily ransomware attacks reported in 2015.  And these are only the reported attacks.

The Fact Sheet provides extensive and detailed guidance on how entities subject to HIPAA should be protecting against ransomware. If safeguards have been put in place as required by HIPAA, ransomware should be less likely to occur and less likely to be devastating to an entity.  But of note in the guidance is the discussion of what else ransomware can be—a breach.  Specifically, a breach of protected health information (PHI) that must be reported as required under applicable law.

The scenario set forth by the OCR is where a laptop, encrypted with a full disk encryption solution, is powered on and in use by an authenticated user, who then performs an action (clicks on a link to a malicious website, opens an attachment from a phishing email, etc.) that infects the laptop with ransomware. If full disk encryption is the only encryption solution in use to protect the PHI, and if the ransomware accesses the file containing the PHI, the file containing the PHI will be transparently decrypted by the full disk encryption solution and access permitted to the hacker with the same access levels granted to the user.

Because the file containing the PHI was decrypted and thus constituted “unsecured PHI” at the point in time that the ransomware accessed the file, an impermissible disclosure of PHI was made and a breach is presumed.  In that case, the victimized entity must conduct the required assessment to determine if breach notification must be provided to all affected persons and to applicable authorities.

The OCR’s analysis (and the U.S. Government Interagency Guidance Document, referenced here in How to Protect Your Networks from Ransomware) should be heeded by any business that holds personal information in electronic form. That’s because state identity theft prevention laws, as well as certain federal laws, apply to such businesses. And those laws contain security mandates and breach notification obligations similar to what is required of healthcare entities under HIPAA.

Ransomware is a formidable challenge and potentially devastating to a business.  And breach notification is usually a substantial and costly undertaking.  All businesses—not just healthcare entities—that maintain personal information in electronic form, should take the threat of ransomware seriously and implement the necessary policies, procedures and technical safeguards to guard against it.  The OCR’s guidance can be found on the ransomware fact sheet.