Ransomware, HIPAA and Cybersecurity for Healthcare Information 

Paying close attention to data protection and cybersecurity standards is important in every industry, but in recent years, there has been an increased focus on its importance for healthcare providers and insurers.  This focus began with the introduction of HIPAA (Health Insurance Portability and Accountability Act of 1996) with its measures meant to protect and keep health care information private.  With the rise in ransomware attacks over the past few years, it’s useful to consider how HIPAA may impact you and your business practices when an attack occurs. 

Under HIPAA an incident is defined as an attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations on an information system.  HIPAA’s data breach notification rule defines a breach as an impermissible acquisition, access, use, or disclosure that compromises the security or privacy of protected health information (PHI).  Because this breach rule only applies only to unsecured, i.e., unencrypted, data, further analysis is often required when ransomware is found on an operating system or affects previously encrypted data.

The analysis begins with the presumption that a breach has occurred. This presumption can be overcome by proof that there is a low probability that PHI has been compromised.  To determine that probability, HIPAA covered entities or business associates should perform an incident risk assessment using at least these four factors:  the nature and extent of protected health information involved, the unauthorized person that used protected health information or to whom the disclosure was made, whether the protected health information was actually acquired or viewed, and the extent to which the risk to the protected information has been mitigated.  The future actions of the provider/covered entity will be determined based on the findings of this assessment. 

Experts predict that as cyber attacks continuously evolve to take new forms, they will put additional stress on data security, with different types of data becoming targets. This is likely to be especially prevalent in the healthcare arena.  Providers and other HIPAA covered entities should, therefore, expect new legislation and/or revised standards to be enacted in response to this increase.  It is particularly important for HIPAA entities to keep track of these laws and regulations so as to ensure continuous compliance. Relying on third-party vendors will also continue to be a risk, so more focus should be paid to overall security measures as well as that of vendors, both in their security management and through contracts.

The information presented here is for general educational purposes only. It does not constitute legal advice and does not create an attorney-client relationship.