How the OCR’s New Guidance Rule Re-Examines Ransomware

According to new guidance from the Department of Health and Human Service’s Office for Civil Rights (OCR), released on July 11, 2016, there have been, on average, 4,000 ransomware attacks per day since early 2016. This represents a nearly 300 percent increase over the same period in 2015. Simply put, ransomware has become the go-to threat vector because it eliminates the middle-man and monetizes instantly. It is easier to get paid directly by the victim, in untraceable bitcoin, than to exfiltrate data and attempt to sell it on the dark web.

These statistics will not surprise most health care organizations.  What is surprising and perhaps concerning, is that the OCR’s guidance also claims ransomware attacks constitute not only a “security incident,” but also a “breach.” “[W]hen electronic protected health information (ePHI) is encrypted as a result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a “disclosure” not permitted under the HIPAA Privacy Rule.

Breach Reimagined

Ransomware, traditionally, does not exfiltrate data.  Rather, it encrypts data on the system with credentials known only by the attacker.  The victim is contacted, the ransom is paid and the attacker provides the key, allowing the victim to decrypt and access his data.  Generally, the data is never moved, it is simply rendered inaccessible.  Under HIPAA, a “breach” is defined as “the acquisition, access, use or disclosure of PHI in a manner not permitted under the HIPAA Privacy Rule.” Notably, the OCR’s guidance claims that a ransomware attack may constitute a “breach” (not just a security incident) because the attack “acquires” ePHI, resulting in an impermissible disclosure under the HIPAA Privacy Rule. This is critical because a breach that affects more than 500 individuals must be reported to the OCR, significantly increasing the possibility of regulatory inquiries.

This position undoubtedly expands the frontiers of a reportable breach under HIPAA, but the reasoning underlying the guidance may be questionable.

First, “breach” commonly understood should be restricted to actual disclosure to, or access by, a person to readable data. HIPAA is, after all, a privacy statute at its core. This is why, for example, encrypted data is a safe harbor under HIPAA. If the attacker cannot read the data, there is no real privacy harm. In a ransomware attack, generally speaking, no one is reading the data besides the malicious code and even in this case, documents containing ePHI may never be opened because they are encrypted at a file level. In fact, a ransomware attack is in some ways the opposite of a traditional breach—instead of rendering the PHI more public and less secure, ransomware causes the data to be too secure, secure even from its authors and users.

Second, in order for a “breach” to be considered a breach, the security and privacy of the PHI must be comprised. The OCR’s guidance expands the probability of compromise analysis to ransomware attacks, requiring a victim to evaluate:

• The nature and extent of the PHI involved;
• The unauthorized person who used the PHI or to whom the disclosure was made;
• Whether the PHI was actually acquired or viewed;
• The extent to which the risk to the PHI was been mitigated.

But this analysis is awkward as applied to ransomware. Presumably the unauthorized person in question is the attacker, but the ability to encrypt data does not necessarily confer on the attacker the ability to read data. There is no need to read the data since denying the victim access to his data is enough to elicit payment. Moreover, ransomware attacks typically can be mitigated with timely backups, yet the guidance makes no mention of this possibility.

In addition, the OCR guidance appears to require advanced forensic analysis to determine whether a reportable breach has occurred.  The guidance states:

“A thorough and accurate evaluation of the evidence acquired and analyzed as a result of security incident response activities could help entities with the risk assessment process above by revealing … the exact type and variant of malware discovered; the algorithmic steps undertaken by the malware; communications, including exfiltration attempts between the malware and attacker’s command and control servers; and whether or not the malware propagated to other systems …”

This specific recommendation is likely to impose significant costs on victims. Forensic analysis should be performed in most cases, but in many instances analysis does not result in definitive conclusions regarding the type of malware utilized or communications with command and control servers given the ability of many high-level hackers who write ransomware to “hide their tracks” using various techniques.

“Breach” or not, it is clear that ransomware attacks will be subjected to expanded regulatory scrutiny in the health care sector given their extraordinary prevalence. As the expansion of regulatory scrutiny to this and other new attack methods continues to evolve with the methods themselves, organizations must continually adapt, with the goal of minimizing exposure and maximizing compliance in a cost-efficient manner.  Moreover, in light of this guidance, it is all the more critical to thoroughly document the investigatory findings and conclusions supporting a determination of whether a reportable breach has occurred.