People responsible for cybersecurity in every industry are familiar with the scourge of ransomware. If hit, your organization could be exposed to some very serious regulatory consequences on top of the public embarrassment, technical costs, and financial losses from the incident. For Healthcare entities, HIPAA guidance on exposure of patient information can be very difficult to navigate. An important issue for Healthcare entities is, can they avoid triggering the Breach Notification Rule if hit with ransomware?
What does the government say about ransomware attacks?
The presence of ransomware (or any malware) on a covered entity’s or business associate’s computer systems is a security incident under the HIPAA Security Rule. A security incident is defined as the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. See the definition of security incident at 45 C.F.R. 164.304. Once the ransomware is detected, the covered entity or business associate must initiate its security incident and response and reporting procedures. See 45 C.F.R. 164.308(a)(6).
There are four keys to having a good path to navigate when hit with ransomware:
Key One: Have the capacity in place to detect a ransomware infection. The earlier you identify the beginnings of a ransomware attack the better your chances of interrupting it before it takes root and spreads. This requires that detection procedures, which include human and technical resources, are implemented and effective.
Key Two: Be prepared to deal with a ransomware infection. Follow the HIPAA Security Rule guidance to have technical protections in place. This includes effective Downtime Procedures to continue operations without information system resources while recovery and remediation are taking place.
Key Three: Be prepared to restore ePHI from off-line, i.e., “Air gap” backup resources. Corruption of data is a common issue with ransomware attacks. Being able to restore data - regardless of whether the ransom is paid and the decryption process works - is the best path to have available. Recent variations of ransomware have deleted files after a pre-determined period of encrypting them.
Key Four: Be able to determine if the attack is an event that triggers the Breach Notification Rule. Be prepared to determine if ePHI was exfiltrated. Exfiltration is evidence that internal files have been transmitted externally. The business impacts are more significant when there is evidence that exfiltration occurred.
Compliance Factors and Meeting the "Low Probability" Threshold
Let’s be clear. Successful ransomware infections that made it to any ePHI data is an incident that is reportable.
Unless the covered entity or business associate can demonstrate that there is a “…low probability that the PHI has been compromised,” based on the factors set forth in the Breach Notification Rule, a breach of PHI is presumed to have occurred. The entity must then comply with the applicable breach notification provisions, including notification to affected individuals without unreasonable delay, to the Secretary of HHS, and to the media (for breaches affecting over 500 individuals) in accordance with HIPAA breach notification requirements. See 45 C.F.R. 164.400-414.
Complying with disclosure under Breach Notification Rule can generate significant financial and reputation impacts to the organization. Meeting the threshold of “Low Probability” that ePHI has been compromised requires the organization to have evidence that meets these points:
To demonstrate that there is a low probability that the protected health information (PHI) has been compromised because of a breach, a risk assessment considering at least the following four factors (see 45 C.F.R. 164.402(2)) must be conducted:
- The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
- The unauthorized person who used the PHI or to whom the disclosure was made;
- Whether the PHI was actually acquired or viewed; and
- The extent to which the risk to the PHI has been mitigated.
Let’s use some basic questions to frame if an attack can have a “Low Probability” determination:
- Did the devices attacked contain ePHI?
- Was the ePHI protected by encryption?
- Is the version of ransomware known to attempt exfiltration?
- Were actions taken by the organization to mitigate the attack?
- Is there evidence of exfiltration?
A Real-World Scenario
Sage has helped organizations address these questions. When the facts support it, Sage has developed the information necessary to avoid having the Breach Notification Rule triggered. Here's an example.
Did the devices contain ePHI? This was a Yes. Working together, Sage and the client team identified the specific workstations and servers that were infected with ransomware. The infection was contained to virtual workstations and selected network shares. Examination of the functions of those systems determined that ePHI was present.
Was the ePHI protected by encryption? This was a No. In this case the attack occurred when users were logged in. Encryption that could be in place for data at rest does not protect the data when it is open for access to users.
Is the version of ransomware known to attempt exfiltration? This was a No. Research by Sage determined the strain to not have a history of attempting exfiltration.
Were actions taken by the organization to mitigate the attack? This was a Yes. The beginnings of the infection were flagged by Tyler Detect for the client. This early warning helped to limit the damage. The client working with advice from Sage were able to isolate, remediate, and restore business functions and ePHI data. The workstations were virtual machines and were automatically erased when the users logged out. The immediate infection was resolved.
Is there evidence of exfiltration? This is where a triggering of the Breach Notification Rule appears on the horizon. It was determined that ePHI was in play and that it was not encrypted. If there is evidence of exfiltration it must be assumed that the malicious people will view or otherwise use the stolen ePHI. The experts at Sage in the Tyler Detect service dug into the logs and records for network traffic. The analysis covered the time leading up to and after the infection.
Making use of the technical and human capabilities at Sage we were able to report: After analyzing all connections matching the criteria for the device, it does not appear that any data exfiltration has occurred.
While it is not possible to prove a negative, professional analysis can examine the evidence, weigh the facts, and come to a supportable judgment. In this case the client was able to report that there was in fact a "Low Probability" that a ePHI breach occurred. Triggering the Breach Notification Rule was avoided.
If there was no evidence concerning possible exfiltration it is likely the client would have had to trigger the Breach Notification Rule. This outcome was possible because the client has been working with Sage for years to re-enforce their IT Security program and achieve compliance with HIPAA Security Rules.
No one wants to deal with ransomware and the other, now too common, cyber-attacks. Having the right resources and practices in place can help organizations avoid infections and reduce the business impacts of attacks when they do occur.
Ensure HIPAA Compliance
Sage's HIPAA | HITECH Regulatory Compliance Assessment will identify any areas in which your organization not in compliance with these laws, and details precise methods for becoming compliant.