Hospital Ransomware Attacks: A HIPAA Breach?

hospital ransomware attacks The WannaCry ransomware attacks in May raged through hospital systems in the U.K. The healthcare industry in the U.S. was not spared the attack, either.

Two large, multi-state hospital systems in the U.S. are struggling with WannaCry nearly a month after its launch, according to HIPAA Journal.

Beyond workstations and servers, medical devices were also hit. Siemens issued a number of security advisories for medical systems that handle everything from mammograms to MRIs.

WannaCry is similar to other crypto-ransomware. It encrypts computer files and demands a Bitcoin payment to unlock them. What makes WannaCry different are the frightening ways in which it can spread.

The perpetrators of this worldwide extortion scheme have created a new world of headaches for organizations legally bound to compliance with the HIPAA Privacy and Security Rules.

Why Does Ransomware Attack Hospitals?

WannaCry is just the latest in a series of successful ransomware attacks on healthcare systems in the U.S. and abroad.

The number of attacks continues to balloon for many reasons:

Healthcare organizations collect information that can affect life and death situations; a perfect target for a ransom demand.
Health data is valuable on the black market; an attractive prize for thieves.
Medical professionals thrive on convenience, which means records are often located on multiple devices with multiple access points; a cybercriminal’s perfect hunting ground.
Healthcare is the number one priority of healthcare organizations; cybersecurity is often not where resources are concentrated.
Healthcare cybersecurity is notoriously lax. Experts have sounded alarms about this for years, with some predicting a spike in healthcare data breaches in 2017.

Failure to Patch Windows

One reason WannaCry was successful is its authors knew many organizations would fail to patch computer systems in a timely manner.

WannaCry uses the EternalBlue exploit to breach unpatched Windows computers. This exploit was allegedly developed by the U.S. National Security Agency. In April 2017, the hacker group Shadow Brokers allegedly stole the exploit and published it online.

Microsoft issued a patch for the vulnerability in March 2017, one month before EternalBlue was leaked. Systems that installed the patch were immune to the primary way in which WannaCry spread.

Had the victims of WannaCry kept their machines up-to-date, many of them would have been spared the infection.

What Happened to Hospitals in the U.K.?

In May 2017, 47 different trusts in England’s National Health Service (NHS) and 13 NHS organizations in Scotland were struck by WannaCry ransomware.

Doctors and nurses were locked out of patient information. They were met instead by a computer screen message that demanded $300-$600 in Bitcoin ransom to unlock the computers.

Routine surgeries were cancelled. Patients were diverted from accident and emergency departments. The real-life impact of cyberattacks on healthcare systems became apparent.

Is a Ransomware Attack a HIPAA Breach?

In the U.S., every organization that handles patient data (ePHI) is subject to HIPAA. All data breaches that affect ePHI must be reported to the OCR.

Many healthcare professionals have wondered – is a ransomware attack a breach under HIPAA? Does it have to be reported?

The answer: probably.

Guidance from the U.S. OCR

Prior to WannaCry, the U.S. Office for Civil Rights published a statement to help healthcare organizations better understand ransomware attacks and how they affect HIPAA compliance.

The document notes that any ransomware attack that successfully encrypts electronic protected health information (ePHI) is considered a breach under HIPAA.

This is true unless the organization can demonstrate a “low probability that PHI has been compromised” – such as by showing the data was encrypted by the organization prior to the attack.

When the WannaCry attack kicked off, OCR sent email reminders with links to this document, and other helpful information about ransomware, to hospitals and healthcare organizations across the U.S.

What is a HIPAA Data Breach?

First, a security incident and a data breach are not the same. HIPAA defines them as follows:

Security Incident means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
Breach means the acquisition, access use, or disclosure of protected health information in a manner not permitted under subpart E of this part which compromises the security or privacy of the protected health information.

As you can see, a security incident is simply an attempt to gain unauthorized access. However, a data breach is a successful attempt to again unauthorized access to protected health data.

In its Ransomware and HIPAA Face Sheet, the OCR argues that a ransomware infection that encrypts patient data is a HIPAA breach unless the attacked organization can prove otherwise.

The onus of proof is on the covered entity or business associate. When a computer system has been compromised, it’s tough to prove its records haven’t been compromised as well.

How to Report a HIPAA Breach

Contact a local FBI field office
Submit incident details to the FBI’s Internet Crime Complaint Center
Report the incident to United States Computer Emergency Readiness Team (US-CERT)
File a HIPAA breach report with the OCR.

Hospital Ransomware Attacks Continue

The numbers continue to add up. In 2010, 199 covered entities and business associates reported HIPAA breaches that affected more than 6 million individuals.

As of June 2017, 127 covered entities and business associates reported HIPAA breaches affecting more than 2 million individuals.

These breaches not only affect the privacy and well-being of individuals. Increasingly, they will take a toll on the finances of every company affected.