Addressing Ransomware as Part of Your HIPAA Compliance Program

By Maureen Dunn McGlynn, JD
Tuesday, August 23, 2016

An increasing number of hospitals around the country have been crippled by ransomware attacks. Until recently, hospitals and other healthcare facilities were unsure whether these malware infections were required to be reported as breaches of HIPAA. Recent guidance issued by the United States Department of Health and Human Services Office for Civil Rights (OCR) signals that these attacks do, in fact, constitute breaches under HIPAA and trigger breach notification processes by HIPAA-covered entities and business associates.

Ransomware is malicious software, or malware, that attempts to prevent users from accessing their data by locking their devices or by encrypting the data with a key known only to the hacker. Once the data is locked or encrypted, the hacker demands that the authorized users pay a ransom in order to unlock or decrypt the data. Ransomware is of particular concern to hospitals and other healthcare facilities that require quick and ongoing access to patient information to provide quality, often urgent, patient care.

Hospitals and other healthcare facilities have become ransomware attack targets. Methodist Hospital in Henderson, Kentucky, recently was forced to operate in an internal state of emergency after its internal network was infected by the “Locky” strain of ransomware. Locky encrypts a user’s files so the files can no longer be opened by the user’s normal programs until a “ransom” is paid.

The Locky ransomware was also used to collect a $17,000 “ransom” from Hollywood Presbyterian Medical Center in California. The attack on Hollywood Presbyterian involved hackers using malware to infect the hospital’s computers, preventing hospital staff from being able to communicate from the infected devices for days.

As a result of the increased frequency of cyberattacks on hospitals and other healthcare facilities, the OCR recently released guidance on ransomware, known as OCR Ransomware Guidance. The OCR Ransomware Guidance describes ransomware attack prevention and recovery steps and how HIPAA-covered entities and business associates should manage ransomware from a HIPAA perspective.

The OCR Ransomware Guidance advises healthcare organizations that compliance with the HIPAA security rule will help to prevent ransomware attacks. For example, the HIPAA security rule requires a healthcare organization to conduct a risk analysis to identify threats and vulnerabilities to its electronic health information and also to implement security measures to address the identified risks. This would include implementing procedures to guard against and detect malicious software.

HIPAA compliance can also help HIPAA-covered entities and business associates recover from ransomware attacks. For example, the HIPAA security rule requires organizations to maintain contingency and business continuity plans in the event access to their data is denied. Therefore, in the event of a ransomware attack, HIPAA-compliant organizations are more likely to be able to activate already-in-place emergency operations and data restoration plans so as to continue their business operations while responding to and recovering from a ransomware attack.

The OCR Ransomware Guidance provides a list of ransomware attack indicators that should be included as part of an organization’s HIPAA security workforce training. It also provides suggested steps a healthcare organization should take as part of its security incident response activities.

The OCR Ransomware Guidance highlights the OCR’s determination that a ransomware attack that causes encryption of the organization’s electronic health information constitutes a “breach” under HIPAA. OCR reasons that in such a case, there is, in effect, an unauthorized disclosure of the data because unauthorized individuals have taken possession or control of the data. Unless the covered entity or business associate can demonstrate there is a low probability that the data has been compromised, the organization must comply with the HIPAA breach notification rule, including notifying all affected individuals of the breach.

In the event of a ransomware attack, covered entities and business associates must conduct a risk assessment to determine whether there is a low probability that the data has been compromised as a result of the attack. Pursuant to the HIPAA breach notification rule, the assessment must include at least the following four factors:

  • The nature and extent of the electronic health information involved, including the types of data identifiers and the likelihood of re-identification
  • The unauthorized person who used the health information or to whom the disclosure of the information was made
  • Whether the information was actually acquired or viewed
  • The extent to which the risk to the information has been mitigated

If an analysis using the above factors indicates the data has been compromised, entities must provide notification to affected individuals without unreasonable delay.

In light of the recent cyberattacks against hospitals, the OCR Ransomware Guidance should be reviewed by all HIPAA-covered entities and business associates. In addition, these entities must ensure that their policies and procedures are compliant with HIPAA, including the HIPAA security and breach notification rules.

Maureen Dunn McGlynn, JD, is a member of CCBLaw, a boutique law firm focused on providing counsel to physicians and other healthcare professionals. She can be reached at 315-477-6276 or