As the number of cyberattacks on healthcare organizations continues to rise, there are a few questions that are becoming more and more common. One of those questions is, “does a ransomware attack count as a HIPAA breach?”
The answer, for better or worse, is simple: yes.
Ransomware is a specific type of malicious software that locks a user’s data away from them. Normally, this takes the form of a hacker encrypting the data, and then forcing the victim to pay a ransom fee to retrieve the data. The ransomware the hacker uses can be modified to destroy your data, or be paired with other malware that can play havoc with your systems. According to Cofence, ransomware attacks are up 97% in the past 2 years—this type of attack is growing more and more commonplace, and healthcare providers are prime targets for it. Hackers can get away with charging exponentially more money for ransom when the data they’re holding is protected health information. A successful ransomware attack or data breach can be devastating to a practice all on its own.
HIPAA has clear rules and regulations regarding data protection and cybersecurity. The HHS clearly defines a HIPAA breach on its website:
“A breach is, generally, an impermissible use or disclosure under the Privacy Rule. It compromises the security or privacy of the protected health information. An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised…”
Put simply, HIPAA defines a breach as any unauthorized or illegal access and/or use of protected health information. There are very few exceptions to this; these are mostly attributable to accidents and small-scale, minor cases. It will not apply to ransomware. In fact, the HHS explicitly says so:
“When electronic protected health information (ePHI) is encrypted as a result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired, and thus is a “disclosure” not permitted under the HIPAA Privacy Rule.”
This tells us quite clearly that ransomware is a considered a HIPAA breach. Our advice is not to get bogged down by your understanding of ransomware and its impact. All you need to know is that ransomware is a growing threat and risk to your organization, and that you need to be careful. So how do you protect yourself?
There are a few things that organizations can do to protect themselves from ransomware and prevent breaches. Firstly, organizations should implement a security management process, identify vulnerabilities and threats to ePHI, and conduct a risk analysis. Once you know where the flaws in your security are, you can implement the proper security measures to mitigate those risks. From there, it’s imperative that you focus on educating your staff on malicious software and protection—things like suspicious emails, files, and websites—so they can detect that activity and report it. Finally, consider limiting software and data access only to people that need it; keep things secure.
Keeping up with cybersecurity threats can be overwhelming, we understand. But that doesn’t make it any less important. Putting the right systems in place before ever experiencing a ransomware attack is the ideal situation. It lets you avoid headaches down the line, and help your organization maintain HIPAA compliance. Preventing a successful ransomware attack not only keeps the hacker from bankrupting you, it stops any HIPAA violation fines, and keeps your organization’s reputation secure and stable. If you’re looking to keep up-to-date on HIPAA information, feel free to examine our other blog articles on this website.
