Experts: There’s no gray area with ransomware breach reporting
When cybercriminals began the onslaught of ransomware attacks on the healthcare industry in early 2016, very few were prepared with how best to respond. Further, most of these attacks went unreported.
In fact, over 4,000 ransomware attacks occurred each day in 2016, across all industries, according to the U.S. Department of Justice. More than 27 million healthcare records were stolen in 2016 across 450 reported data breaches -- 26.8 percent of these were caused by ransomware, hacking or malware, according to the 2016 Protenus healthcare data report.
And yet, only nine healthcare organizations reported malware or ransomware breaches to OCR in 2016.
In response, U.S. Department of Health and Human Services’ Office of Civil Rights updated its breach guidance in July 2016 to clarify ransomware breach reporting.
But despite a recent report from the Wall Street Journal that pointed out a purported loophole in OCR breach reporting requirements from HHS, the new rules make it very clear: The burden of proof lies with the provider to substantiate that no breach has occurred.
Before the major ransomware surge, determining if a breach occurred fell on OCR. But the new guidance states all ransomware should be considered a breach. Thus, the responsibility shifted to the organization, according to Matt Fisher, partner with Mirick O'Connell in Worcester, Massachusetts.
“OCR guidance is very clear on what the HIPAA Breach Notification Rule requires in the event of a ransomware attack,” said Steven Gravely, partner with Troutman Sanders. “I don’t think that there is any ambiguity in the OCR guidance.”
According to the WSJ piece, HHS mandates reporting on attacks that end in data being exposed, and ransomware only encrypts data.
But during a ransomware attack, hackers use malware to seize control of data that effectively denies users access. “By definition, the ransomware attacker has obtained unauthorized access to the PHI by the act of encrypting it,” Gravely said.
“In many instances, the attacker retains the data and sells it on the black market even if the ransom is paid and access to the target system is restored,” he said. “These are the reasons why OCR guidance advises that any ransomware attack is presumed to be a reportable breach.”
Ransomware is a major concern to organizations trying to determine the right way to report, said Pam Hepp, shareholder, healthcare practice at Buchanan, Ingersoll & Rooney.
"We've seen a spike in the number of attacks, but we haven't seen an increase in reporting. It's interesting," Hepp said. "I wouldn't be shocked that the number of ransomware attacks is underreported, the analytics undertaken or wasn't sufficient to demonstrate there wasn't a breach."
Hepp believes that at the end of OCR’s Phase 2 of the auditing program -- which covers breach reporting -- OCR will determine breaches that haven't been timely reported, or reported at all.
For Fisher, what organizations struggle with is determining how much data has been breached when performing a risk assessment.
“The nuance that you need to worry about is that the OCR's position is that if there's a ransomware attack, then the system has been breached," he continued.
Organizations must start with the presumption that ransomware is a breach – even though there may be facts that might contradict that assumption, Erin Whaley, partner of Troutman Sanders said.
Simply put: if an organization can demonstrate PHI wasn't compromised, it doesn't have to report it. If the data impacted by ransomware was encrypted properly and the organization doesn't have any reason to believe the encryption was compromised, for instance, then the PHI is considered secured.
"But all of those are very fact-specific inquiries," Whaley added. "Organizations have to look at exactly what happened. The presumption should be that the organization has been breached if ransomware has attacked a system, and the burden of proof is on the organization.”
“OCR guidance is clear is applying this existing framework to ransomware attacks,” said Gravely. “I’m confident covered entities and business associates view differently what evidence is sufficient to allow them to decide that the ransomware attack resulted in a low probability that PHI was disclosed.”
Reports have shown there are disparities between the number of reported incidents and actual breaches, but to Gravely that “doesn’t mean that the OCR guidance is ambiguous or has a loophole.”