Security Ledger reports (https://securityledger.com/2016/07/regulator-ransomware-infections-likely-reportable-under-hipaa/) that the U.S. Department of Health and Human Services on Monday issued new guidance (http://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf) that suggests strongly that ransomware infections that affect electronic patient health information (ePHI) are reportable violations under HIPAA.
“When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired,” HHS said in its guidance. (PDF)
The new guidance comes after a period of consideration and debate within policy circles about whether having patient records encrypted by ransomware should count as a “breach” of patient privacy. In theory, the files aren’t being accessed and viewed, simply scrambled and held for ransom. Or so the thinking went.
Writing on the Virta Labs blog (http://go.virtalabs.com/ocr-ransomware), Virta CEO and University of Michigan researcher Kevin Fu, noted that the HHS guidelines get a lot right: ruling out an exemption for systems with Full Disk Encryption running (ransomware, by its very nature, operates when the machine is running and the operating system and file system are accessible).
Fu expected that the guidelines would be “bad news” for the majority of Health Delivery Organizations (HDOs) covered by HIPAA. “The OCR guidance means you just got clarity on whether ransomware results in a breach. Sorry, the answer is yes, unless you have methodical evidence to the contrary.”