Ransomware attacks may be reportable, OCR guidance clarifies

With ransomware attacks on U.S. entities increasing dramatically in 2016 (by more than 300 percent year-to-date over 2015, according to a recent government report), and becoming more sophisticated, dental practices are at greater risk of being targeted by hackers. In response to this growing threat, the U.S. Department of Health and Human Services' Office for Civil Rights released new guidance to help health care providers better understand the malicious software and the steps required to help prevent, detect and respond to attacks.   

Critically, the new guidance also clarifies the definition of a "breach of health care information" under the Breach Notification Rule of the Health Insurance Portability and Accountability Act and explains how affected providers should manage the HIPAA breach notification process.

Under the HIPAA rule, a breach occurs when patient health information is acquired, accessed or used in a manner not permitted and that compromises the security or privacy of the information. The new guidance emphasizes that providers are required to, "without unreasonable delay," report the breach to the secretary of the HHS and notify affected patients unless they can prove, with sufficient supporting documentation, that there is a "low probability that the patient health information has been compromised." Demonstrating a low probability means conducting a thorough risk assessment that is completed in good faith and produces reasonable conclusions.

Ransomware wreaks havoc by infecting a user's computer and denying or attempting to deny access to patient data, usually by encrypting it. The malware then directs the user to pay the hacker a ransom in order to regain access.

"When electronic-protected health information is encrypted as the result of a ransomware attack, a breach has occurred …," the guidance states. The practice must then comply with the breach notification process, including notifying HHS and patients, as well as the media if the breach affects more than 500 individuals.

If patient information was already encrypted in compliance with HIPAA when encryption was attempted during a ransomware attack, the practice generally would not be required to notify HHS and patients of a breach; however, the practice should be prepared to conduct an analysis to determine that the secured data was and will remain unreadable and unusable to the hacker or any other unauthorized persons.

In its earlier years, ransomware depended on users clicking malicious links in spam email to successfully infect a computer. Now, hackers commonly use phishing tactics or exploit outdated software on a user's computer, making it especially important that dental practices make efforts to prevent and detect ransomware threats. The guidance cites the following HIPAA-required activities that practices should perform:

  • Conduct a risk analysis to identify threats and vulnerabilities to electronic-protected health information and establish a plan to mitigate or remediate those identified risks.
  • Implement procedures to safeguard against malicious software.
  • Train authorized users on detecting and reporting malicious software.
  • Limit access to protected health information to those persons or software programs requiring access.
  • Maintain a contingency plan that includes disaster recovery, emergency operations, frequent data backups and test operations.

TDIC recommends taking additional IT-related precautions, which can be found in "Actions to help avoid 'ransomware nightmare'" in the June 2015 issue of the CDA Update.

"Unlike many cyber threats … ransomware is immediately disruptive to day-to-day business functions and, therefore, your ability to provide high-quality health care," stated the secretary of the HHS in a letter that was sent with the guidance to health care CEOs.

One California dentist experienced this turmoil firsthand, when her practice fell victim to a ransomware attack in late 2014. CDA chronicled her story in the May 2015 issue of the Journal of the California Dental Association.

"My practice has essentially been down now for several days," the dentist, who elected to remain anonymous, told CDA. "I can't access software to see scheduling, I have no idea what appointments are set up and we can't access digital X-rays," she added.

Ultimately, the dentist's IT consultant remedied the problem by building a new server. The dentist did not pay the ransom, which aligns with the FBI's recommendation. Paying a ransom, the FBI says, does not guarantee the victim will receive the key to unlock patient data, nor does it guarantee removal of the ransomware or that the victim will not be targeted again.

The letter from the secretary of the HHS advises any practice that becomes a victim of a ransomware attack to immediately contact its local FBI field office or local U.S. Secret Service field office.

The OCR guidance is available on the HHS website.

  • Read more about HIPAA compliance on CDA's website. For information on how to conduct a required risk assessment, read the related article, "HIPAA-required risk assessment can help prevent, detect malware attacks," in the September CDA Update.

Related Items

Organizations of all types and sizes are vulnerable to cyberattacks. The fraudsters that perpetrate these crimes do not discriminate, and they are becoming increasingly organized and sophisticated.

In May, several thousand HIPAA-covered entities received emails from the U.S. Department of Health and Human Services Office of Civil Rights (OCR) as the agency rolled out Phase 2 of its HIPAA Audit Program. One email asked covered entities to confirm contact information, then, if information was confirmed, covered entities received a questionnaire and were given 30 days to complete it.

Dental practices are among the victims falling prey to ransomware, a type of malware that infects and disables computers and demands payment from victims to restore computer access. The Dentists Insurance Company warns dentists that ransomware can bring a practice to a standstill.