OCR Tells Healthcare Organizations: A WannaCry Ransomware Attack is a HIPAA Breach

May 17, 2017 David Holtzman

The Office for Civil Rights (OCR) has issued advisories that a HIPAA covered entity or business associate that is affected by the “WannaCry” ransomware attack or other malware should respond to the incident as a reportable breach under the HIPAA/HITECH Breach Notification Rule. OCR issued ransomware guidance last year that the agency has taken the position that when a cybercriminal gains access to an information system that creates, transmits or maintains protected health information, this constitutes an unauthorized disclosure of electronic protected health information (ePHI).

Health care organizations in the United States that are affected by WannaCry or other forms of ransomware need to be familiar with HHS’s ransomware guidance. The guidance advises that when ePHI is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (since unauthorized individuals have taken possession or control of the information). Unless the organization can demonstrate that there is a low probability that the PHI has been compromised based on the factors set forth in the Breach Notification Rule, a breach is presumed to have occurred and notification is required.

CynergisTek recommends that if your organization falls victim to an attempted or successful ransomware incident, there should be a careful forensic examination of the information system to determine if the attackers had the ability to access PHI, the extent of individual information affected, as well as an assessment for the probability of compromise to the data using the requirements of the Breach Notification Rule as a guide. We also recommend that you create awareness across your enterprise in the event of an attempted or successful ransomware attack against ransomware.  If you would like to learn more about CynergisTek’s HIPAA Privacy programs or additional ways to perform a breach assessment, contact us here.

About the Author

David Holtzman

David Holtzman is an executive advisor for CynergisTek. He is considered a subject matter expert in health information privacy policy and compliance issues involving the HIPAA Privacy, Security and Breach Notification Rules. Prior to CynergisTek, Holtzman served on the health information privacy team at the Department of Health & Human Services, Office for Civil Rights (OCR/HHS), where he led many OCR initiatives including the effort to integrate the administration and enforcement of the HIPAA Security Rule, and health information technology policies. David has nearly two-decades of experience in developing, implementing and evaluating health information privacy and security compliance programs from both government and private sector organizations. He is a member of the HHS “CISA 405-d Workgroup”, the Joint Cybersecurity Working Group of the Healthcare Sector Coordinating Council and Co-Chair of the Privacy and Security Workgroup for North Carolina Healthcare Information & Communications Alliance (NCHICA).

Follow on Twitter
Previous Article
WannaCry Highlights Deeper Issues That Should Make Us All Want to Cry
WannaCry Highlights Deeper Issues That Should Make Us All Want to Cry

In the United States, we got lucky, very lucky, that a malware researcher known only as @MalwareTechBlog on...

Next Article
Breach Report 2016: Protected Health Information (PHI)
Breach Report 2016: Protected Health Information (PHI)

This infographic highlights key data points from our recently released breach report, which analyzes breach...