OCR Publishes Ransomware Guidance for Hospitals

Protected health information (PHI) encrypted by ransomware is considered breached, according to the Office for Civil Rights’ (OCR) recently released ransomware guidance for covered entities (CE) and business associates (BA).

OCR’s guidance, released July 11, comes after a dramatic increase in ransomware attacks on hospitals. In the wake of the attacks, some organizations and lawmakers have questioned whether ransomware attacks are HIPAA breaches. Ransomware is a type of malware that encrypts data with a key that’s withheld for payment. Many types of ransomware only encrypt data but do not copy or transmit it.

However, as OCR makes clear in its guidance, a ransomware attack, or simply the presence of ransomware or other malware on a CE or BA’s system, is a security incident under HIPAA. The ransomware must access the PHI to encrypt it and, by accessing it, causes a breach. CEs and BAs should follow HIPAA’s guidelines for security incident response and breach notification requirements.

The guidance also outlines ransomware prevention, recovery, and response methods. If an organization identifies ransomware on their systems, it should first determine the scope of the attack, how the infection occurred, and whether the attack is ongoing. Using this information, the organization can begin to contain and eradicate the ransomware, restore data, conduct an investigation to determine if PHI was breached, and strengthen systems to prevent a similar attack.

OCR advises CEs and BAs to contact law enforcement as soon as ransomware is detected. This is in line with recommendations from the Department of Defense and the FBI.