HHS Addresses Ransomware Reporting for HIPAA Covered Entities in Wake of WannaCry Attacks | Practical Law

HHS Addresses Ransomware Reporting for HIPAA Covered Entities in Wake of WannaCry Attacks | Practical Law

In the wake of the widespread and widely reported WannaCry ransomware attacks, the Department of Health and Human Services (HHS) has issued guidance addressing ransomware-related reporting standards for covered entities under the Health Insurance Portability and Accountability Act (HIPAA). The guidance references earlier HHS guidance on ransomware and cybersecurity information-sharing by HIPAA covered entities and business associates.

HHS Addresses Ransomware Reporting for HIPAA Covered Entities in Wake of WannaCry Attacks

by Practical Law Employee Benefits & Executive Compensation
Published on 19 May 2017USA (National/Federal)
In the wake of the widespread and widely reported WannaCry ransomware attacks, the Department of Health and Human Services (HHS) has issued guidance addressing ransomware-related reporting standards for covered entities under the Health Insurance Portability and Accountability Act (HIPAA). The guidance references earlier HHS guidance on ransomware and cybersecurity information-sharing by HIPAA covered entities and business associates.
In response to the international WannaCry ransomware attacks on healthcare organizations, HHS has issued a series of alerts, updates, and guidance addressing how HIPAA covered entities (CEs) and business associates (BAs) should handle such attacks. The guidance also references earlier HHS guidance addressing ransomware and whether CEs and BAs may disclose protected health information (PHI) for purposes of cybersecurity information-sharing of cyber threat indicators (see Legal Update, Ransomware Attacks Addressed in HIPAA Security Guidance, HIPAA Privacy, Security, and Breach Notification Toolkit and Practice Note, HIPAA Security Rule).

Responding to Ransomware Attacks

In its WannaCry guidance, HHS indicates that if an organization is the victim of a ransomware attack it should:

HHS Ransomware Guidance

HHS's WannaCry update references its earlier ransomware guidance (July 2016), under which HHS generally presumes that a HIPAA breach has occurred in the case of a ransomware attack (see Practice Note, HIPAA Breach Notification Rules for Group Health Plans and Legal Update, Ransomware Attacks Addressed in HIPAA Security Guidance). (The ransomware guidance includes an exception to the general presumption of a breach if the CE or BA "can demonstrate that there is a '…low probability that the PHI has been compromised,' based on the factors set forth in the Breach Notification Rule.") A CE or BA must determine whether a breach is a reportable breach within 60 days of when it knew or should have known of the breach. However, the 60-day reporting deadline is tolled if law enforcement requests the entity to hold any reports.
HHS's ransomware guidance also outlines how complying with HIPAA's Security Rule, including under the security management process standard, may help CEs and BAs prepare for ransomware attacks (the prevalence of which have increased significantly in recent years). For more information, see Practice Note, HIPAA Security Rule: Ransomware and the Security Management Process Standard: Cybersecurity Defense.

Compliance with HIPAA's Breach Notification Rules

In its WannaCry guidance, HHS indicates that a CE or BA that reports information to law enforcement, the Department of Homeland Security (DHS), or another HHS division is not considered to have reported the information to HHS's Office for Civil Rights (OCR), as required under HIPAA's Breach Notification Rules. Rather, the CE or BA must report breaches to OCR.
HHS also indicates in its WannaCry guidance that it presumes a breach has occurred due to a ransomware attack if data is not encrypted to at least the National Institute of Standards and Technology (NIST) specifications when the attack occurred (see Practice Note, The NIST Cybersecurity Framework and Legal Update, HHS Issues HIPAA Security Rule Mapping to NIST Cybersecurity Framework). As a result, the CE or BA would need to prove (using forensic evidence or otherwise) that:
  • The electronic PHI (ePHI) was encrypted when the attack occurred.
  • The ransomware encrypted again (or "containerized") ePHI that was already encrypted.

Disclosing PHI for Purposes of Cybersecurity Information-Sharing of Cyber Threat Indicators

In September 2016, HHS addressed whether CEs or BAs could disclose PHI for purposes of cybersecurity information-sharing regarding cyber threat indicators (see generally Practice Note, The NIST Cybersecurity Framework). Under the Cybersecurity Information Sharing Act of 2015 (CISA), a "cyber threat indicator" is information necessary to describe or identify, among other things:
  • Malicious reconnaissance.
  • Methods for defeating security controls or taking advantage of security vulnerabilities.
  • A security vulnerability itself.
  • Malicious cyber commands and controls.
  • Actual or potential harm caused by an incident.
The purpose of disclosing cyber threat indicators for cyber information-sharing is to:
According to HHS, a HIPAA CE or BA generally does not need to disclose PHI to adequately describe threats or vulnerabilities. In addition, the HIPAA Privacy Rule would not permit a CE or BA to disclose PHI for cybersecurity information-sharing of cyber threat indicators unless certain requirements are satisfied (for example, a HIPAA authorization) (see Standard Document, HIPAA Authorization for Health Plans to Use and Disclose PHI). However, the Privacy Rule allows disclosures of PHI to law enforcement officials without an individual's authorization if certain conditions are met, for example:
  • Complying with a court order, court-ordered warrant, subpoena, or summons.
  • Responding to a request for limited PHI to identify or locate a suspect, fugitive, material witness, or missing person.
  • Reporting PHI to law enforcement when legally required to do so.

Practical Impact

On a quick scan of HHS's WannaCry update, one could get the impression that HHS's presumption of a breach requiring notification applies in all cases involving a ransomware attack. But there are least two narrow exceptions to the presumption (involving data encrypted to NIST standards and situations involving a low probability that PHI has been compromised) that a CE or BA should keep in mind in the event of a ransomware attack. Otherwise, the CE must comply with HIPAA's breach notification rules, which include providing notice to affected individuals, the Secretary of HHS, and (in some cases) the media.