HIPAA Is Not Enough

Hospitals are making cybersecurity headlines in 2016—but in the worst ways possible.

On February 5, Hollywood Presbyterian Medical Center in California discovered that their patient records and many other key files had been encrypted by a malware called “Locky.” They discovered an “instructions” file on their server informing them that the files would remain encrypted unless they paid the attackers a large “ransom” in Bitcoin, the crypto-currency of choice for Internet criminals. After exploring their options, hospital administrators made the decision to pay the ransom of 400 Bitcoin—approximately $17,000 USD.

Locky is a form of “ransomware,” a relatively new form of malware that encrypts users’ files and forces them to pay a “ransom” to obtain the key necessary to decrypt them. Locky is initially spread through infected e-mail attachments, then self-propagates throughout an enterprise’s network, identifying more files worthy of encryption.

Hollywood Presbyterian was one of Locky’s first victims, but its creators have clearly identified hospitals and health care providers as valuable, soft targets for their attacks. In March, Memorial Hospital in Henderson, KY suffered a Locky attack that forced them to declare an internal state of emergency. In May, Kansas Heart Hospital fell victim to a more nefarious Locky attack, wherein the attackers accepted their first ransom payment, then refused to decrypt the hospital’s files unless they paid a second, more exorbitant ransom. In August, a “massive” Locky outbreak targeted hospitals across the United States, this time in a concentrated and customized e-mail attack scheme. The total fallout from that Locky outbreak is as yet unknown.

When someone reports that a health care provider suffered an attack that rendered all of their patients’ medical records inaccessible, one’s first reaction might be to wonder what HIPAA consequences await the compromised provider. The HIPAA Privacy Rule and the cybersecurity regulations related to it are often pointed to as a “gold standard” for federal security regulations; even firms outside the health care industry tend to believe that if a system or IT vendor promises “HIPAA compliance,” their security measures likely meet any relevant corporate needs.

But to date, none of the hospitals attacked with Locky have been publicly fined or reprimanded by the Department of Health and Human Services.

The likely reason is somewhat shocking: suffering a ransomware attack, even one that renders protected health information (PHI) unavailable, is not an event contemplated by HIPAA, and may not be a breach of the HIPAA Privacy Rule at all.

Good technology partners should not stop at the minimum security required by law.

The three key goals of cybersecurity are maintaining the confidentiality, integrity, and availability of electronic data and systems. The privacy requirements of HIPAA are targeted at protecting the confidentiality of PHI. A security incident is considered a breach of the HIPAA Rules if it involves “the acquisition, access, use, or disclosure of PHI” to unauthorized individuals or for unauthorized purposes. This description covers, for example, attacks in which PHI is stolen for resale on the black market or use in identity fraud—more traditional forms of cybercrime.

But ransomware targets the availability of data, not its confidentiality. In a ransomware outbreak, attackers never “acquire” or “use” PHI, nor is it “disclosed” to them or any other party outside the provider’s network. The data is “accessed” by the malware itself, but only for the purpose of encrypting it.

In its Ransomware Fact Sheet, HHS asserts that a ransomware outbreak is a “security incident” under the HIPAA Rules. But they state that whether or not a provider’s falling victim to a ransomware attack is a breach of the HIPAA Rules is “a fact-specific determination.” They claim that if PHI is encrypted by ransomware, it has been “acquired” by the attackers. But in the typical ransomware attack, the actual patient data never leaves the provider’s network and is never viewed by the attackers’ human eyes. The attackers render the PHI unavailable to anyone, including themselves. It would seem difficult to make the case that a party that never has direct access to PHI has “taken possession or control of the information” (the HIPAA definition of “acquire”). There is a distinction between taking control of information and removing others’ control over that information.

HHS correctly asserts that HIPAA compliance may help providers and business associates avoid or recover from a ransomware attack. But this depends on whether a provider’s cybersecurity framework is targeted solely or largely toward patient confidentiality, or whether a provider has a robust defense-in-depth strategy that also sufficiently addresses the continual availability and integrity of patients’ EMR. Rapid recovery from a ransomware outbreak—without paying the ransom—requires sufficient data backups to systems that cannot be touched by the malware, and a disaster recovery plan that details how to integrate the backup data into the network without putting it at risk of the same infection.

More importantly, when it comes to ransomware or any malware that spreads through social engineering, an ounce of prevention is worth several pounds of cure. Making sure health care personnel are well educated in cybersecurity policies and safe computer use is a critical task to securing any enterprise.

When LAMB started developing their data interoperability services for the health care industry, I, as the company’s General Counsel, was charged with exploring the legal compliance needs, including compliance with HIPAA and its sister law, HITECH. It did not, therefore, come as a surprise to me when hospitals, which one can expect to be HIPAA-compliant, fell victim to Locky and related ransomware. Regulatory compliance can confer a false sense of security, and this is one prime example.

In fact, this was one of the issues that drove me to augment my legal education and experience with an education in cybersecurity management. Good technology partners should not stop at the minimum security required by law. Instead we should ask, what are the real and potential threats our clients might face, and how can we maximize the protection of our clients’ data (and their clients’ or patients’ data), given their and our combined resources? I am blessed to work in an environment where we seek to answer that question as part of every project.

Thom Gray
Legal & Security

Published Sep 14, 2016