Following recent international cyber attacks, the U.S. Department of Health and Human Services (HHS) has issued warnings to healthcare organizations, provided a cyber attack checklist, and launched its revised HIPAA Breach Reporting Tool (HBRT).
HHS Response to WannaCry Ransomware
In response to the WannaCry ransomware attack, HHS reminded healthcare organizations of its prior guidance that the HHS Office for Civil Rights (OCR) presumes a breach in the case of a ransomware attack. The entity must determine whether the breach is reportable no later than 60 days after the entity knew or should have known of the breach. According to the Breach Notification Rule, a breach notification is required unless the healthcare organization can demonstrate that there is a low probability that the PHI has been compromised based on a risk assessment of at least the following factors: the nature and extent of the PHI involved, the identity of the unauthorized person who used the Protected Health Information (PHI) or to whom the disclosure was made, whether the PHI was actually viewed or acquired, and the extent to which the risk to the PHI has been mitigated.
If the data was not encrypted by the entity to at least National Institute of Standards and Technology (NIST) specifications when the ransomware attack was deployed, OCR presumes a breach occurred. In that situation, the entity would need to prove that the electronic Protected Health Information (ePHI) was encrypted when the attack occurred and the ransomware containerized (encrypted again) the already encrypted ePHI.
OCR Quick Response Cyber Attack Checklist
In early June, OCR announced the release of its Quick Response Cyber Attack Checklist, which includes the following four steps for entities experiencing a cyber attack:
The entity must execute its response and mitigation procedures as well as its contingency plans. The entity should fix technical and other problems in order to stop the attack and take steps to mitigate impermissible disclosures of PHI. Outside vendors may be brought in to offer assistance.
The entity should report the incident to law enforcement agencies including state or local law enforcement, the FBI, and/or the Secret Service. Any such report should not include PHI unless permitted by the HIPAA Privacy Rule.
The entity should report all cyber threat indicators to federal ISAOs (information-sharing and analysis organizations), without disclosing any PHI.
The entity must meet its OCR reporting obligations and individual and/or media notification obligations in a timely manner. It is important to note that “OCR presumes all cyber-related security incidents where protected health information was accessed, acquired, used, or disclosed are reportable breaches unless the information was encrypted by the entity at the time of the incident or the entity determines, through a written risk assessment, that there was a low probability that the information was compromised during the breach.”
In late July, HHS announced the launch of its revised HBRT. The revised HBRT includes the following features designed to assist the healthcare industry:
- Easier incident reporting; and
- Educational information for industry regarding incidents that are occurring as well as information about how breaches may be resolved, which can assist organizations within the healthcare industry with their efforts to improve their security preparedness.
A look ahead…
On September 5-6, 2017, HHS, OCR, and the National Institute of Standards and Technology will co-host the 10th annual conference, “Safeguarding Health Information: Building Assurance Through HIPAA Security” in Washington, D.C. Stay tuned for an upcoming alert describing the conference, which will address healthcare cybersecurity issues.
For further discussion on HHS’ Ransomware Guidance, see the prior alert issued by Steptoe & Johnson PLLC.