The Office for Civil Rights (OCR) states that “When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a “disclosure” not permitted under the HIPAA Privacy Rule,”. Bad guys having control over your data and blackmailing you to retrieve the decryption keys qualifies as a breach.
If ransomware is found on your system but has not yet been active, this would be an incident. And you would go through your normal incident response plan.
There are only a few exceptions that might save you from having to report a ransomware event. Can you demonstrate a “low probability that PHI has been compromised, read or ex-filtrated”? The following might be employed to identify this low probability of exposure.
- A risk assessment identifies the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; and the risk is deemed low
- An assessment of risk was conducted on the unauthorized person who used the PHI or to whom the disclosure was made
- Whether the PHI was actually acquired or viewed; If you can prove with high assurance that no information left your network then you might not have to disclose.
- During the assessment you must measure the extent to which the risk to the PHI has been mitigated.
- You must determine whether there is a high risk of unavailability of PHI; and
- Whether there is a high risk to the integrity of the PHI being altered.
F1 protects our clients through a myriad of technical safeguards, however, no technology can replace employee education. With all of the technical safeguards that multi-billion dollar companies have in place, ransomware is still successful because it only take 1 employee to click on a cleverly disguised e-mail to infect your organization.
If you suspect a breach of patient data or other sensitive information, F1 is here to help advise you on what your next steps should be.