You’ve been hit with Ransomware – Now what? And is it a reportable breach?
Well, that depends. Given the dramatic rise in ransomware attacks recently, many regulators have issued formal guidance that it’s presumed a reportable breach. That is, unless you can prove otherwise – prove being the operative word here. If you haven’t taken a look at our blog post, below, on the “Alarming Increase of Ransomware” and what you can do to avoid it, please take a moment to review our important recommendations.
To determine if a ransomware attack is a reportable breach under privacy and security laws such as HIPAA/HITECH Privacy and Security Rules and other consumer protection laws, we have to start with how a breach is defined. Under HIPAA laws, a breach is defined: as the unauthorized or impermissible “acquisition, use or disclosure” of protected health information (“PHI”), which compromises the privacy or security of the protected information. Many other privacy and security laws governing protected information have similar definitions that boil down to whether or not personal, health or other confidential information (“PII”, “PHI”, ePHI or “CI”) was compromised or compromise would be likely.
There are now at least 200 different “families” (variants) of ransomware, some more sophisticated than others. The most commonly used ransomware “wraps” encryption over data locking users out of infected devises or networks (through a locking devise the attacker controls). An attack doesn’t necessarily mean that confidential data has been accessed, used or viewed, but an analysis is required by many federal and state privacy and security laws and you don’t want to get it wrong. And there’s newer ransomware out there that’s doing more than just encrypting, it’s pulling information such as the amount of records encrypted or other information so they can charge a higher ransom.
THIS IS NOT A SCREEN YOU WANT TO SEE!
If you visit the websites of many federal and state regulators, including HHS, OCR and the FBI, you’ll see just how serious and prevalent this problem is. Attackers especially like targeting hospitals, government agencies and others with critical or sensitive information, and many are using newer versions of ransomware, hybrid ransomware, which infects a system, but stays quiet behind the scenes loading other malware that allows data to be viewed or accessed by other third parties. Cyber thieves are known to advertise on the Dark Web auctioning off information and access to the highest bidder (in the same way pools of stolen credit card information are illegally auctioned off to the highest bidder). By providing access to confidential data to other unauthorized users, the definition of breach is met. In guidance released late last year, HHS announced that “the presence of any ransomware (or any malware for that matter) on a covered entity’s or business associate’s computer is a Security Incident under the HIPAA rules, and therefore, requires prompt investigation, remediation and possible notification. Once the ransomware is detected, the affected entity must promptly initiate the required security analysis and reporting procedures. See 45 C.F.R. 164.308(a) (6). Whether or not the presence of ransom ware would be a reportable breach under HIPAA or other security laws is a fact specific question. Know what’s required!
Which begs the question – how does an organization prove protected confidential data wasn’t improperly used or compromised? (Or whether it was and must be reported!) It may not be fast or easy, but it’s in organization’s interests to quickly take steps to determine (and document) its findings. In its recent Guidance, HHS has taken the position that unless the affected entity can demonstrate that there is “… low probability that PHI has been compromised”, based on the HIPAA Breach Notification Rule factors, a breach is presumed. If other types of regulated personal data are potentially at risk and it can be established (and documented in a justifiable, reasonable way) that ransomware only wrapped or encrypted data and the data was never viewed, used, accessed or moved off servers or devises, it may not be a reportable breach, but you have to get it right. (The exact type and variant of malware and exfiltration attempts and other information is critical to verify.)
The affected entity should immediately put its Incident Response Plan into action. (Let’s hope there is an Incident Response Plan, as this isn’t the ideal time to try to figure it out. And I’d like to point out that everyone regulated under HIPAA and many other similar laws is required by law to have an incident response plan and have other security steps in place such as training all workforce members annually. Big fines will be coming to those who don’t take this seriously and don’t have legally compliant plans in place.) Besides the many smart business reasons to establish an incident response plan, many federal and state laws require it.
Ransomware attacks in the healthcare sector in particular and other organizations holding confidential data are becoming much more common and sophisticated. The consequences of a ransomware attack on the delivery of healthcare and other critical systems is staggering – computer networks and devises are immediately locked down, preventing access to data and systems with potentially catastrophic results. It’s critical to respond quickly when a suspected or known security incident occurs. And if it’s a ransomware attack, the consequences will be immediate!
Training employees on what to look out for is critical – and required!
Defending against security risks must be a top priority for every organization. HIPAA and other similar laws require ALL workforce personnel with access to systems and data to be trained at least once annually. This is the first thing regulators will look at and the best way to avoid attacks. If training is deficient, or all workforce members aren’t being trained annually, then big fines and other sanctions will be imposed. Proper training is the single, most important part of protecting your organization from ransomware and similar cyber threats – make sure every person with access to a computer system or devise is trained on what to look out for! Most security incidents are avoidable and result from the “human factor”: someone opening something, clicking without thinking and now it’s too late – systems and data are compromised or worse. Preventing attacks is a far better way to go and far less costly proposition than reacting after an attack occurs. I’d also like to point out that if you elect to pay the ransom, there’s no guarantee the data will be there or won’t be compromised. The FBI and many other regulators recommend not paying ransom to hackers as a disincentive to the huge number of attacks occurring and provide the same caution we do that the data may not be there even after you pay up. There’s no guarantee. Following the advice we’ve outlined for avoiding the problem in the first place and having a back-up plan ready, just in case (See our July, 2016 Client Alert) is a far safer, better way to go. ______________________________________________________________________________
In addition to acting as general counsel and compliance officer to diverse business organizations, we’re frequently called on to advise clients regulated under HIPAA/HITECH laws on the best ways to assess risks and ensure compliance; and if the worst should happen, how to respond. We welcome your inquiries on our general business and corporate legal services; and would be glad to speak with you specifically about how we can help your organization with avoiding these costly, disruptive problems.
Tegan Blackburn LLC www.teganblackburn.com All Rights Reserved.