New HIPAA Guidelines from HHS on Ransomware Can Impact Medical and Dental Offices

This month the Department of Health and Human Services (HHS) released new HIPAA guidance on ransomware attacks and when medical and dental providers, or their business associates, must report a breach. 

In a nutshell, if systems storing electronic protected health information (ePHI) are compromised by ransomware, one should assume that hackers had (or have) access to ePHI; therefore a breach has likely occurred and should be reported in accordance with applicable state and federal laws. 

What exactly is a ransomware?  

Ransomware is now the biggest cybersecurity threat facing US businesses and consumers. Think of it as a modern-day shakedown. Hackers use malicious software (a virus) to steal, expose, delete or encrypt data unless a ransom is paid, typically in Bitcoin or other untraceable digital currencies. These types of attacks can incapacitate an organization for days and have a devastating impact on productivity.

The FBI reports that in 2014, over 1,800 complaints were filed regarding ransomware, resulting in a loss of more than $23 million. In 2015, that number grew to more than 2,400 complaints with a reported loss of more than $24 million. We can expect these numbers to grow exponentially over the next few years.

What is the HHS staying about ransomware?

The new guidance states... “When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a ‘disclosure’ not permitted under the HIPAA Privacy Rule.”

The exception to this is if the victim organization can show that there is a “low probability that the PHI has been compromised”.

While much of the guidance would depend on circumstances of a given breach, organizations need to take steps to safeguard their data from ransomware attacks. HIPAA covered entities and business associates are required to develop and implement security incident procedures and response and reporting processes that are reasonable and appropriate to respond to malware and other security incidents.

The guidance can be found at:

Jeremy Phelps LinkedIn


The materials on this web site are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem.
Jeremy Phelps Information Security and Data Compliance Professional

You Might Also Enjoy...