The Office for Civil Rights (OCR) has issued advisories that a HIPAA covered entity or business associate that is affected by the “WannaCry” ransomware attack or other malware should respond to the incident as a reportable breach under the HIPAA/HITECH Breach Notification Rule. OCR issued ransomware guidance last year that the agency has taken the position that when a cybercriminal gains access to an information system that creates, transmits or maintains protected health information, this constitutes an unauthorized disclosure of electronic protected health information (ePHI).
Health care organizations in the United States that are affected by WannaCry or other forms of ransomware need to be familiar with HHS’s ransomware guidance. The guidance advises that when ePHI is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (since unauthorized individuals have taken possession or control of the information). Unless the organization can demonstrate that there is a low probability that the PHI has been compromised based on the factors set forth in the Breach Notification Rule, a breach is presumed to have occurred and notification is required.
CynergisTek recommends that if your organization falls victim to an attempted or successful ransomware incident, there should be a careful forensic examination of the information system to determine if the attackers had the ability to access PHI, the extent of individual information affected, as well as an assessment for the probability of compromise to the data using the requirements of the Breach Notification Rule as a guide. We also recommend that you create awareness across your enterprise in the event of an attempted or successful ransomware attack against ransomware. If you would like to learn more about CynergisTek’s HIPAA Privacy programs or additional ways to perform a breach assessment, contact us here.