Ransomware. It’s in the headlines, but what is it? Recently, the U.S. Department of Health & Human Services’ Office for Civil Rights (OCR) provided a layperson’s description:
Ransomware is a type of malware (malicious software) that attempts to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker who deployed the malware, until a ransom is paid. After the user’s data is encrypted, the ransomware directs the user to pay the ransom to the hacker (usually in a cryptocurrency, such as Bitcoin) in order to receive a decryption key.
The description is included in a Fact Sheet on Ransomware and HIPAA (the Health Insurance Portability and Accountability Act), containing OCR’s guidance to healthcare entities on how to guard against ransomware and how to respond to a ransomware attack. The Fact Sheet notes that, on average, there have been 4,000 daily ransomware attacks since early 2016, a 300% increase over the 1,000 daily ransomware attacks reported in 2015. And these are only the reported attacks.
The Fact Sheet provides extensive and detailed guidance on how entities subject to HIPAA should be protecting against ransomware. If safeguards have been put in place as required by HIPAA, ransomware should be less likely to occur and less likely to be devastating to an entity. But of note in the guidance is the discussion of what else ransomware can be—a breach. Specifically, a breach of protected health information (PHI) that must be reported as required under applicable law.
The scenario set forth by the OCR is where a laptop, encrypted with a full disk encryption solution, is powered on and in use by an authenticated user, who then performs an action (clicks on a link to a malicious website, opens an attachment from a phishing email, etc.) that infects the laptop with ransomware. If full disk encryption is the only encryption solution in use to protect the PHI, and if the ransomware accesses the file containing the PHI, the file containing the PHI will be transparently decrypted by the full disk encryption solution and access permitted to the hacker with the same access levels granted to the user.
Because the file containing the PHI was decrypted and thus constituted “unsecured PHI” at the point in time that the ransomware accessed the file, an impermissible disclosure of PHI was made and a breach is presumed. In that case, the victimized entity must conduct the required assessment to determine if breach notification must be provided to all affected persons and to applicable authorities.
The OCR’s analysis (and the U.S. Government Interagency Guidance Document, referenced here in How to Protect Your Networks from Ransomware) should be heeded by any business that holds personal information in electronic form. That’s because state identity theft prevention laws, as well as certain federal laws, apply to such businesses. And those laws contain security mandates and breach notification obligations similar to what is required of healthcare entities under HIPAA.
Ransomware is a formidable challenge and potentially devastating to a business. And breach notification is usually a substantial and costly undertaking. All businesses—not just healthcare entities—that maintain personal information in electronic form, should take the threat of ransomware seriously and implement the necessary policies, procedures and technical safeguards to guard against it. The OCR’s guidance can be found on the ransomware fact sheet.