Determining If a Ransomware Attack Is a Reportable BreachAttorney Reviews Critical Factors in Assessing Incidents
While awaiting new guidance from the Department of Health and Human Services' Office for Civil Rights, healthcare organizations can take several steps to help determine whether a ransomware attack is a reportable breach under HIPAA, says compliance attorney Betsy Hodge.
"I would encourage covered entities and business associates who believe they've been subject to a ransomware attack to drill down and investigate what type of ransomware is involved, and what has the ransomware done - and not done - to the data," Hodge says in an interview with Information Security Media Group (see audio player below photo).
Hodge says victim organizations need to ask: "Has [the ransomware] only encrypted the data - sort of wrapped around the data - or is there any evidence that the data in any way has been accessed, acquired or exfiltrated?" If more than just encryption has occurred, the incident may be a reportable breach, she notes.
Sophisticated audit tools, which can prove costly, are helpful in performing an assessment "to determine, if, in fact, there is a low probability that protected health information was improperly used or disclosed during the ransomware attack," she says.
"Right now, it's an open question whether a ransomware attack is reportable, but I think it depends on the particular facts in a particular case. That's why everyone is anxiously awaiting some guidance from the Office for Civil Rights on that point."
Eventually, class-action lawsuits will likely be filed in the wake of ransomware incidents, Hodge predicts. But the basis of the lawsuits will likely depend on the facts in a particular case, she says.
A lawsuit might address, for example, "whether ... the covered entity had lax security or perhaps had not implemented all the policies and procedures required under the HIPAA Security Rule ... and whether the covered entity or business associate should've provided notice under the HIPAA Breach Notification Rule, but did not," she says. "Another interesting question will be how plaintiffs in a particular case show how they've suffered harm as the result of a ransomware attack ... [such as in] a situation where someone had a delay in surgery or other necessary procedure because the necessary systems were down."
In the interview, Hodge also discusses:
- Lessons emerging from recent OCR enforcement actions, including resolution agreements and financial settlements stemming from breach investigations;
- Areas where business associates are still struggling, more than three years after the HIPAA Omnibus final rule made these vendors directly liable for HIPAA compliance;
- Whether OCR enforcement actions might result from the next round of HIPAA compliance audits.
Hodge is an attorney at the Tampa office of the national law firm Akerman LLP, where she provides guidance to physicians and hospitals regarding compliance with federal and state regulations, including HIPAA. She is also the former president of the Florida Academy of Healthcare Attorneys and is a member of the Florida Hospital Association's HIPAA Preemption Analysis Task Force.