Last week's "WannaCry" worldwide Ransomware attack was particularly targeted against international health organizations. Though the attack was thwarted not without a little good luck and less financial loss that might have been predicted, it unsurprisingly triggered responses from U.S. government agencies including the Department of Homeland Security (DHS) and, with specific reference to health care providers, the Office of Civil Rights (OCR) of the Department of Health & Human Services (HHS). It also is no surprise that these government agencies took a carrot and stick approach – speaking about cooperation on one hand and enforcement (by OCR) on the other.

On the cooperative side, DHS and HHS have sought to work with the tech sector to employ cybersecurity best practices to address the ransomware threat, now the most common problem faced across the cyber universe but especially in health care. DHS has opined that "Individual users are often the first line of defense against this and other threats, and we encourage all Americans to update your operating systems and implement vigorous cybersecurity practices including installation of the latest patches and avoiding phishing efforts that can implant ransomware to lock down a system. Among the recommended best practices include employee training to avoid clicking on unfamiliar links and files in emails, and to backing up data to prevent possible loss. Beyond those somewhat simplistic suggestions, one detects a decided trend towards to adoption of the voluntary framework of cybersecurity standards issued by the National Institute of Standards and Technology (NIST), which was issued in 2014 and is in the process of being updated per public comments and meetings.  This also is consistent with the recently issued Executive Order that mandates federal department compliance to the same standards suggested for the private sector, particularly the NIST framework.

The OCR enforcement component is more problematic.  On May 17, 2017, Iliana Peters, a HIPAA compliance and enforcement official at OCR, announced at a Georgetown University Law Center cybersecurity conference that OCR will "presume a breach has occurred" when an HIPAA covered entity or associate has experienced a ransomware attack, due to the nature of how ransomware attacks work. This is somewhat at odds with the way that ransomware actually works. Ransomware generally is a form of blackmail where a Trojan will deprive a data owner of access to its own data unless a ransom is paid (often by Bitcoin or another block chain currency). OCR's presumption can be overcome especially if health care data were encrypted prior to the incident (and presumably that would include data at rest). HHS's ransomware guide provides that:

"Unless the covered entity or business associate can demonstrate that there is a 'low probability that the PHI has been compromised,' based on the factors set forth in the Breach Notification Rule, a breach of PHI is presumed to have occurred. ... The entity must then comply with the applicable breach notification provisions, including notification to affected individuals without unreasonable delay, to the Secretary of HHS, and to the media (for breaches affecting over 500 individuals) in accordance with HIPAA breach notification requirements."

Thus, if there is anything to take away from this, it is to encrypt PHI – period.

OCR offers to work with the private sector to provide technical assistance.  This might be useful to very small, unsophisticated  organizations.  Larger private sector entities arguably have resources and technical skills that surpass those of the government.  Indeed, the President's Executive Order recognizes this.

We at Epstein Becker Green will have more to say about the ransomware threat and other cyber security vectors affecting the health care space. Expect a webinar and other publications like this one in the near future.

Back to Health Law Advisor Blog

Search This Blog

Blog Editors

Authors

Related Services

Topics

Archives

Jump to Page

Subscribe

Sign up to receive an email notification when new Health Law Advisor posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.