Over three months in 2016 five separate hospitals in the US and Canada were hit by a series of targeted ransomware attacks. The most serious of these instances affected MedStar Health, which is the largest health care provider throughout the Maryland and Washington, D.C. area. Hollywood Presbyterian Hospital was also hit, ending in a $17,000 ransom, with attacks to Methodist Hospital in Kentucky, The Ottowa Hospital, Chino Valley Medical Center, and Desert Valley Hospital having occurred as well.
Ransomware is a kind of malware that infects computer systems and begins encrypting data, blocking access to encrypted files without the proper key. That data is held ransom until the victims issue a payment to the hackers, who then supply a key to decrypt the data. In most cases, there’s no guarantee that paying the ransom will prompt the hackers to give victims the key, nor is there any definitive way to be sure that the encrypted data wasn’t accessed, copied, or distributed while it was being held by the hackers.
With FBI security experts recommending that victims pay the ransom and American and Canadian government officials saying otherwise, it’s safe to say that we need unified guidance on how to protect PHI and prevent breaches in this string of new and malicious cyber-attacks.
Until we receive guidance from OCR, we need to treat ransomware as a serious threat to the integrity and security of protected health information. HIPAA regulation currently doesn’t distinguish ransomware attacks form other kinds of cyber-attacks.
OCR guidance outlined in the HIPAA Breach Notification Rule qualifies a data breach as “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of [PHI].” Additionally, organizations that have been hit by a ransomware attack must be able to prove that ransomed PHI was “actually acquired or viewed” before OCR can get involved. In cases where access history is ambiguous or unattainable, victims find themselves in a regulatory limbo.
Even if a ransomware attack is not considered a breach, the bottom line is that security needs to be taken seriously if hospitals and health care professionals stand any chance at avoiding this mounting threat to health care data and PHI.