Recently, the WannaCry ransomware attack impacted 150 countries and over 300,000 computers. Not all ransomware attacks are so massive but they all are fast moving and require swift action to prevent destruction and loss of data. In particular, employers who experience a ransomware attack must consider whether there is an impact on the protected health information that is maintained by the employer in connection with its group health plan.
Ransomware has the potential to encrypt data that is open and accessible to the user. For example, an HR professional who experiences a ransomware attack on his or her laptop while a program that maintains protected health information is running will expose that protected health information during the attack. In order to unlock data, attackers ask for a monetary payment and more sophisticated hackers will often ask for bitcoin or other payment methods that are more difficult to trace. An employer must do more than pay the attacker to unlock its data. The employer must consider its responsibilities under the Health Insurance Portability and Accountability Act (“HIPAA”) and determine whether such attack requires notification to individuals and the U.S. Department of Health and Human Services (“HHS”).
HHS has issued guidance on the requirements under HIPAA relating to ransomware attacks that impact covered entities and business associates.1 HHS has indicated that the mere presence of ransomware or other forms of malware on a covered entity’s system (i.e., in the case of a group health plan, the system of an employer that sponsors a self-funded group health plan) is a security incident2 under the HIPAA security rule. In addition, such incident is presumed to also be a breach3 unless the employer-sponsored group health plan can demonstrate that there is a low probability that protected health information maintained on the employer’s system has been compromised. On behalf of the group health plan, the employer should document both its security incident response and determination of whether the incident was a breach and, if so, steps taken to mitigate any harm and provide proper notifications.
Security Incident Response
When an employer that maintains a group health plan discovers a ransomware attack, the employer must initiate its security incident response and reporting procedures, as required under HIPAA. The employer’s security incident response must determine: (i) the scope of the incident to identify what networks, systems, or applications are affected; (ii) the origination of the incident; (iii) whether the incident is finished, ongoing or has triggered additional incidents; and (iv) how the incident occurred (e.g., tools and attack methods used, vulnerabilities exploited).
After these initial steps are taken, the employer will need to use the information collected to determine the next steps, such as: (i) containing the impact and spread of the ransomware; (ii) stopping the ransomware attack and mitigating or remediating any vulnerabilities in the employer’s system that allowed the ransomware attack to occur; (iii) restoring all lost data and returning to normal business operations; and (iv) determining whether the incident will require notices to regulatory agencies or individuals.
Don’t Forget to Conduct a Risk Assessment
An employer must conduct a deeper analysis to determine whether the ransomware attack is also a breach of protected health information. This is a fact specific determination and involves a multi-part test (i.e., a “risk assessment”) to determine whether there is a low probability that any protected health information that was encrypted or locked-up by the ransomware attack was compromised. The risk assessment should include at least the following factors:
- the nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
- the unauthorized person who used the protected health information or to whom the disclosure was made;
- whether the protected health information was actually acquired or viewed; and
- the extent to which the risk to the protected health information has been mitigated.
An employer’s security incident response and analysis may be helpful in determining whether a breach occurred. An employer must consider whether or not data that contains protected health information was exposed during the attack. One key consideration is whether data was at rest (i.e., full disk encryption while powered down or in sleep mode) or whether the data was unlocked by the authorized user. For example, if an authorized user is currently logged-in to the system that maintains protected health information during a ransomware attack, then that information is decrypted and unsecured when the system becomes infected with the malware and the facts and circumstances will likely demonstrate that a breach has occurred. Other key pieces of information to consider will include: the type of malware that was utilized; the algorithmic steps undertaken by the malware; whether the malware infiltrated other systems that may contain protected health information and whether malware attempted to exfiltrate any such data; and whether the malware deposited hidden malicious software or exploits vulnerabilities for future unauthorized attacks. HHS encourages entities to go further and explore additional factors to appropriately evaluate the risk that protected health information has been compromised.
Employers must take steps to mitigate any harm to exposed protected health information. This may prove to be difficult or impossible if data is locked or encrypted or the original data was deleted and there was no system back-up or disaster recovery plan in place. All documentation relating to a risk assessment should be maintained to support the group health plan’s burden of proof regarding the breach assessment. If the risk assessment concludes that a breach has occurred, all documentation related to required notifications should also be maintained.
Recent HHS Malware Settlement
In November of 2016, HHS entered into a settlement, including a two year corrective action plan and US$650,000 fine, with a covered entity that experienced a malware attack resulting in a breach of unsecured protected health information with respect to approximately 1,670 individuals.
HHS indicated that the following conduct lead to the settlement and corrective action plan: (i) the covered entity failed to have proper policies in place under the HIPAA privacy and security rules; (ii) the covered entity failed to conduct an analysis of the potential risks and vulnerabilities to the confidentiality, integrity and availability of all of its electronic protected health information; (iii) the covered entity failed to implement technical security measures to guard against unauthorized access to electronic protected health information; and (iv) the covered entity provided access to the protected health information of 1,670 individuals whose information was maintained on a workstation that was infected with malware in violation of the HIPAA privacy rule.
Policies, Training and Go Phishing
It is imperative that employers maintaining group health plans establish policies and procedures that provide steps to assist in in responding to and recovering from a ransomware attack. This should be part of the on-going HIPAA risk analysis and should be addressed in the on-going risk management plan. All systems that maintain protected health information should be frequently backed-up and tests should be conducted to ensure the ability to recover data from backups. If feasible, data backups should be maintained offline and access to the offline backups should not be accessible from the employer’s network. An employer may want to engage a security vendor to assist with the development of a cyber security program.
In addition, employers must train employees who have direct or indirect access to protected health information. Training includes confirming that employees understand the role they play in protecting the data of the organization as a whole, not just the protected health information maintained by or on behalf of the group health plan.
Employers should not wait for a malware attack to occur. It only takes one click for an employee to unleash a cyberattack/ransomware attack. How do you stop that click — mimic a phishing attack and see who bites! Even with all the right mechanisms in place it is difficult to control the human element. The key is putting in place policies, mandatory training programs and mimic attacks to make sure proper mechanisms are in place.
If you require assistance with implementing policies and procedures to address ransomware attacks and breach notifications, please contact the lawyer listed below.
1) U.S. Department Health and Human Services, Office for Civil Rights, FACT SHEET: Ransomware and HIPAA (2016).
2) 45 C.F.R. 164.304 defines a “security incident” as the attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations in an information system.
3) 45 C.F.R. 164.402 defines a “breach” as the acquisition, access, use or disclosure of protected health information in a manner not permitted under the HIPAA privacy rule which compromises the security or privacy of the protected health information.