HHS has issued guidance addressing how HIPAA covered entities (CEs) and business associates (BAs) may apply standards under the HIPAA Security Rule to prevent and recover from ransomware attacks (see Practice Note, HIPAA Security Rule and the HIPAA Privacy, Security, and Breach Notification Toolkit). The guidance also addresses whether HIPAA breach notification is required if ransomware infects a CE's or BA's computer systems.

According to HHS, ransomware is a type of malware that essentially hijacks data and denies rightful users access to the data by encrypting it "with a key known only to the hacker who deployed the malware, until a ransom is paid" (regarding other forms of malicious software, see Legal Update, Malware Leads to $750,000 HIPAA Settlement). After the attack occurs, the rightful user is instructed to pay the hacker a ransom to obtain a decryption key. The ransom may need to be paid in the form of a "cryptocurrency," such as Bitcoin (see Legal Update, Compensation Paid in Bitcoin is Subject to Employment Taxes under IRS Notice 2014-21).

In HHS's view, existing standards under the HIPAA Security Rule may be used to prevent the introduction of ransomware. For example, the Security Rule standard for implementing a security management process requires CEs and BAs to:

(See Practice Note, HIPAA Security Rule: Security Management Process.)

HHS also interprets this standard as requiring adoption of procedures to protect against and detect malicious software.

Addressing the scope of risk analyses required under the security management process standard, HHS would expect CEs and BAs to adopt measures as part of the security management process to reduce risks to ePHI "throughout an organization's entire enterprise." HHS acknowledges that there is not a HIPAA Security Rule standard or implementation specification for updating firmware. However, HHS believes that an entity should, as part of its risk analysis, identify and address risks to ePHI from network devices that use obsolete firmware.

In its ransomware guidance, HHS indicates that the Security Rule requires CEs and BAs to adopt policies to assist them in responding to and recovering from ransomware attacks. Specifically, CEs and BAs must implement a data backup plan as part of maintaining an overall contingency plan (see Practice Note, HIPAA Security Rule: Contingency Plan), including activities such as:

The contingency plan (or an organization's business continuity plan) may need to be activated in response to a ransomware attack.

Under the HHS guidance, the presence of ransomware (or any malware) on a CE's or BA's computer systems is a security incident under the Security Rule. As a result, security incident procedures, which also are required under the Security Rule, may need to be used in response to a ransomware attack (see Practice Note, HIPAA Security Rule: Security Incident Procedures and NIST SP 800-61 Rev. 2 (Computer Security Incident Handling Guide); see also Legal Update, HHS Issues HIPAA Security Rule Mapping to NIST Cybersecurity Framework). These procedures should allow a CE or BA to (among other responses):

The guidance addresses initial analysis and follow-on incident response activities involving ransomware attacks, which include:

According to HHS, a CE's or BA's workforce should receive training (under HIPAA's training requirement) to detect and report situations involving malware (see Standard Document, HIPAA Training for Group Health Plans: Presentation Materials). Indicators of a ransomware attack might include an inability to access files while the ransomware is encrypting, deleting, or relocating data. Upon identifying a ransomware attack, a CE or BA should immediately activate its security incident response plan, which plan should include isolation of infected computer systems to halt the spread of the attack.

Whether the presence of ransomware is a HIPAA breach is a fact-specific assessment, and the guidance includes guidelines for making this determination (see Practice Note, HIPAA Breach Notification Rules for Group Health Plans). If ePHI is encrypted due to a ransomware attack, HHS takes the view that a breach has occurred because the ePHI has been acquired and is therefore an unauthorized disclosure under the HIPAA Privacy Rule (see Practice Note, HIPAA Privacy Rule).

For example, an entity may need to consider the ransomware's effect on the integrity of PHI. The impact may be severe if, for example, the ransomware encrypts the data and then deletes the original data and leaves only the data in encrypted form.

Under the HIPAA breach notification rules, a breach of PHI is presumed to have occurred unless the CE or BA can show that there is a low probability that PHI was compromised based on the factors. Otherwise, the CE or BA must satisfy the applicable breach notification rules, which include notification to affected individuals, HHS, and (in some cases) the media (see Practice Note, HIPAA Breach Notification Rules for Group Health Plans: What Is a Breach Requiring Notification?).

Given that downloaded malware has already been the basis of a HIPAA settlement agreement (see Legal Update, Malware Leads to $750,000 HIPAA Settlement), it is probably only a matter of time before a ransomware attack results in similar assessments. As a result, this HHS guidance offers CEs and BAs a useful starting point for how HHS would evaluate the effectiveness of an entity's procedures and safeguards for preventing and responding to a ransomware attack. In many respects, HHS appears to view ransomware attack preparedness as an extension of the standards and implementation specifications that are already required under the Security Rule. Also, as is the case in other HIPAA privacy and security contexts, a CE or BA that can demonstrate appropriate efforts to train its workforce will be better-positioned to handle a post-incident investigation by HHS (see Standard Document, HIPAA Training for Group Health Plans: Presentation Materials and Practice Note, HIPAA Enforcement and Group Health Plans: Penalties and Investigations).