HHS: Ransomware attacks considered breaches in most cases

In its latest ransomware guidance, HHS indicates that ransomware attacks will generally be considered a security incident under the HIPAA Security Rule, settling an ongoing debate about whether such attacks are considered data breaches.

In ransomware events, malware encrypts a computer network and locks users out of the computer files. Stakeholders questioned whether this type of attack is considered a data breach because in such events data is made inaccessible to the users and not necessarily accessed or extracted.

HHS' latest guidance says determining whether a ransomware attack is a breach is a "fact-specific determination," but a breach is "presumed to have occurred" unless the covered entity or business associate can demonstrate a "low probability" that protected health information has been compromised.

As such, entities must comply with breach notification rules and requirements, including reporting the incident to the media if the incident affects more than 500 individuals.

For covered entities to demonstrate there is a low probability protected health information has been compromised, they must conduct a risk assessment considering four factors:

1. the nature and extent of the protected health information involved;

2. the unauthorized person who used the PHI or to whom the disclosure was made;

3. whether PHI was actually acquired or viewed; and

4. the extent to which the risk to PHI has been mitigated.

The guidance suggests understanding the type of malware causing the ransomware and how the ransomware functions may help covered entities in this risk assessment.

Click here to access the full guidance.

More articles on ransomware:

California bill would make ransomware a felony
4 reasons for ransomware's rise 
Why Crysis is healthcare's most threatening ransomware yet 

Copyright © 2022 Becker's Healthcare. All Rights Reserved. Privacy Policy. Cookie Policy. Linking and Reprinting Policy.

 

Featured Whitepapers

Featured Webinars