The WannaCry ransomware attacks in May raged through hospital systems in the U.K. The healthcare industry in the U.S. was not spared the attack, either.
Two large, multi-state hospital systems in the U.S. are struggling with WannaCry nearly a month after its launch, according to HIPAA Journal.
WannaCry is similar to other crypto-ransomware. It encrypts computer files and demands a Bitcoin payment to unlock them. What makes WannaCry different are the frightening ways in which it can spread.
The perpetrators of this worldwide extortion scheme have created a new world of headaches for organizations legally bound to compliance with the HIPAA Privacy and Security Rules.
WannaCry is just the latest in a series of successful ransomware attacks on healthcare systems in the U.S. and abroad.
The number of attacks continues to balloon for many reasons:
Failure to Patch Windows
One reason WannaCry was successful is its authors knew many organizations would fail to patch computer systems in a timely manner.
WannaCry uses the EternalBlue exploit to breach unpatched Windows computers. This exploit was allegedly developed by the U.S. National Security Agency. In April 2017, the hacker group Shadow Brokers allegedly stole the exploit and published it online.
Microsoft issued a patch for the vulnerability in March 2017, one month before EternalBlue was leaked. Systems that installed the patch were immune to the primary way in which WannaCry spread.
Had the victims of WannaCry kept their machines up-to-date, many of them would have been spared the infection.
Doctors and nurses were locked out of patient information. They were met instead by a computer screen message that demanded $300-$600 in Bitcoin ransom to unlock the computers.
Routine surgeries were cancelled. Patients were diverted from accident and emergency departments. The real-life impact of cyberattacks on healthcare systems became apparent.
In the U.S., every organization that handles patient data (ePHI) is subject to HIPAA. All data breaches that affect ePHI must be reported to the OCR.
Many healthcare professionals have wondered – is a ransomware attack a breach under HIPAA? Does it have to be reported?
The answer: probably.
Guidance from the U.S. OCR
Prior to WannaCry, the U.S. Office for Civil Rights published a statement to help healthcare organizations better understand ransomware attacks and how they affect HIPAA compliance.
The document notes that any ransomware attack that successfully encrypts electronic protected health information (ePHI) is considered a breach under HIPAA.
This is true unless the organization can demonstrate a “low probability that PHI has been compromised” – such as by showing the data was encrypted by the organization prior to the attack.
When the WannaCry attack kicked off, OCR sent email reminders with links to this document, and other helpful information about ransomware, to hospitals and healthcare organizations across the U.S.
First, a security incident and a data breach are not the same. HIPAA defines them as follows:
As you can see, a security incident is simply an attempt to gain unauthorized access. However, a data breach is a successful attempt to again unauthorized access to protected health data.
In its Ransomware and HIPAA Face Sheet, the OCR argues that a ransomware infection that encrypts patient data is a HIPAA breach unless the attacked organization can prove otherwise.
The onus of proof is on the covered entity or business associate. When a computer system has been compromised, it’s tough to prove its records haven’t been compromised as well.
The numbers continue to add up. In 2010, 199 covered entities and business associates reported HIPAA breaches that affected more than 6 million individuals.
As of June 2017, 127 covered entities and business associates reported HIPAA breaches affecting more than 2 million individuals.
These breaches not only affect the privacy and well-being of individuals. Increasingly, they will take a toll on the finances of every company affected.