Cybersecurity and the protection of patient health information have been at the forefront of the minds of healthcare providers and executives for some time. However, a recent uptick in the number of “ransomware” attacks against healthcare entities – wherein hackers install malware that locks computers and renders patient records and other data inaccessible, thereby forcing providers to pay a ransom to have the files returned – has hospitals and other healthcare providers on high alert. Indeed, according to an April 1 article from NPR, malware attacks last month in California, Kentucky, Maryland, and D.C. left 14 hospitals unable to access patient data. Without access to their electronic files, these hospitals were forced to divert patients to other hospitals, return to using inefficient paper records, and, in most cases, pay the ransom using untraceable online currency known as bitcoin.
Although other industries and businesses are susceptible to ransomware attacks, hospitals and other healthcare providers remain more vulnerable than most due to the sensitive nature of the files up for ransom, and the potential life-and-death scenarios caused by such attacks. As such, healthcare providers should take proactive measures, both to prevent cyberattacks and to have a plan in place to mitigate the damages. Preventative safeguards include:
∙ Using stronger passwords and higher levels of encryption;
∙ Updating IT security policies and developing assessments to determine vulnerability;
∙ Managing password distributions and authorizations and limit access to more vulnerable files.
Most importantly, providers should take care to create backups of all critical information. Such backups should be updated regularly with copies stored offline/outside the network.
Furthermore, healthcare providers must be able to determine whether or not a particular ransomware attack implicates the breach notification requirements of the Health Insurance Portability and Accountability Act (“HIPAA”), as well as state-law breach notification requirements. Enacted by the U.S. Department of Health and Human Services (“HHS”) in 2009 and modified in 2013, the HIPAA Breach Notification Rule requires that “covered entities” (i.e., healthcare providers, health plans, and healthcare clearinghouses) provide notification to each affected individual whose unsecured protected health information (“PHI”) is impermissibly used or disclosed. Disclosures must also be made to the Secretary of HHS and, in some cases, the media. Likewise, business associates who discover a breach must notify their respective covered entity of the unsecured PHI.
However, whether a particular cyberattack warrants full disclosure under the Breach Notification Rule turns on the Rule’s definition of “breach.” Per the 2013 HIPAA Omnibus Rule, breach is defined as “the acquisition, access, use, or disclosure of [PHI] in a manner not permitted under [the HIPAA Privacy Rule] which compromises the security or privacy of the [PHI].” Indeed, such acquisition, access, use, or disclosure of PHI creates a rebuttable presumption that a breach has occurred. In order to rebut this presumption, the covered entity or business associate must conduct a risk assessment to demonstrate that there is a “low probability” that the PHI has been compromised. This risk assessment must include, at a minimum, the following factors: (1) the nature and extent of the PHI involved; (2) the unauthorized person who used the PHI or to whom the disclosure was made; (3) whether the PHI was actually acquired or viewed; and (4) the extent to which the risk to the PHI has been mitigated.
Thus, in the case of a ransomware attack, providers must first determine whether or not their PHI was actually acquired, accessed, used, or disclosed. As noted in a recent Forbes article, this question is not always black and white. Indeed, where the malware installed by cybercriminals “wraps” or “locks” PHI rather than actually breaching it, HIPAA’s Breach Notification Rule will not be implicated. Moreover, if the hackers never actually acquire or view any PHI, but merely block healthcare providers from gaining access, the third factor of the risk assessment (described above) will come into play, helping the provider demonstrate the “low probability” that the PHI has been compromised. As such, in order to determine their obligations under the Breach Notification Rule, healthcare provider cyberattack victims must attain a full understanding of the kind of malware used and the extent of the overall hack.
The attorneys at Chilivis Grubman represent healthcare providers of all types and sizes in connection with regulatory and compliance concerns, as well as government audits and investigations, including those related to HIPAA. For any questions, or if we can assist you in connection with a healthcare regulatory or compliance issue or audit/investigation, please contact us at (404) 262-6505 or sgrubman@cglawfirm.com.