As healthcare organizations increasingly face ransomware attacks that denies them access to their data, are these incidents breaches that they must report to the HHS Office for Civil Rights?
That’s a question that federal regulators and healthcare industry stakeholders must start answering, says David Holtzman, vice president of compliance strategies and security firm CynergisTek and a former OCR official.
In a typical breach incident, hackers are pursuing patient data to try and monetize, he notes. But ransomware hackers are different. They are not interested in exploiting specific patient data, but electronically confiscate it to interrupt access and extort payment.
So, technically, has the data been compromised? If an organization restores access to its data and the data never was compromised, Holtzman believes it is unlikely that the breach has to be reported. But there is a caveat: The HIPAA security rule requires appropriate safeguards to assure the confidentiality, integrity and availability of electronic protected health information. The mere introduction of malware would call into question the integrity of an organization’s PHI.
David HarlowWith ransomware, the availability of data has been affected, but the actual confidentiality of PHI has not been compromised. An organization, Holtzman says, could show OCR proof that no data was accessed and possibly avoid having the incident determined to have been a breach.
OCR, he adds, will take into consideration all the facts and circumstances of each incident in making its decision on what is or is not a reportable breach. OCR did not respond to a request for an interview.
OCR labels cyber attacks as hacking incidents, regardless of the form. Holtzman doesn’t believe OCR should create a separate category, distinct from hacking incidents, to assess the prevalence of these hacks. While there is value to the industry to understand the scope and size of incidents caused by cyber attacks, “they take many forms but have a common denominator of organizations being infiltrated and attacked.”
David Harlow, principal at The Harlow Group, a healthcare law and consulting firm, agrees that ransomware attacks could be seen as a non-reportable event.
“My understanding of ransomware attacks is that they rarely, if ever, involve the attacker actually bothering to access, acquire, use or disclose PHI—regulatory prerequisites to a finding of a data breach under HIPAA,” he says. “Instead, the attacker makes it impossible for the owner of the data to access or use the data. While that is a bad thing, it is not a ‘breach’ as defined under HIPAA.”
Law enforcement agencies, Harlow adds, often advise targets to pay ransom. “Many attackers set their ransoms low enough so that it will be in the clear interest of their targets to pay and get back to business as usual.”
But further peril can await a healthcare organization after a ransomware attack is over, Harlow warns. “It won’t be long before a patient brings a private lawsuit against a healthcare institution for damages caused by the institution’s negligent security practices which led predictably to a loss of data access and thereby to a bad clinical outcome. This could piggyback on investigative findings by the licensing or certification agency that may come knocking once word gets out about a hospital’s inability to function as expected due to a ransomware attack.”
(This article appears courtesy of our sister publication, Health Data Management)