- In a recent issue of Forbes magazine, author Dan Munro asks the question, “Is Ransomware Considered a Health Data Breach Under HIPAA?”
In developing the answer to that question, Dan speaks with experts in the healthcare and compliance domains, and the headline question is answered with a reasoned “No.”
According to the information presented, a ransomware attack should not be considered to have violated the PHI disclosure restrictions in HIPAA, and it is more about “the message of lax security that’s being broadcast to cybercriminals around the world.”
I think otherwise.
Ransomware attacks need to be disclosed as unauthorized exposures of private information because they are every bit as dangerous as the outright theft of the laptop, desktop, or server that they infect.
In 2015, according to the Office of Civil Rights (OCR) at the US Department of Health and Human Services, there were over 300 disclosed healthcare breaches. Of these, about one-third are attributed to the loss or theft of some piece of equipment: a laptop, desktop, server, or other portable electronic device.
Over 100 of the disclosed breaches, representing hundreds of thousands of records, were reported because a system that contained PHI came under the control of a criminal. There is no need to verify that the information stolen in this manner is ever accessed or used; the existence of this important information in the hands of a criminal is enough of a threat that it must be reported.
These losses and thefts require disclosure under HIPAA because the systems being accessed, and the PHI they contain, are no longer in the control of the healthcare provider. This sounds a lot like ransomware.
Understanding ransomware attacks
There are a couple of different popular types of ransomware. Some are programs that take control of the machine and lock it down so that the legitimate user can’t even enter the system before paying the ransom. Clearly, in this case, the system is no longer in the control of the healthcare provider, and is, for some period of time, under the control of a criminal.
Sometimes it is being remotely accessed and driven by whatever criminal awaits the Bitcoin payment, and its activities are unknowable to the legitimate owner until the criminal reconfigures and unlocks the system. Here you have PHI, on a system under the control of a criminal.
A more common form of ransomware takes the time to encrypt files that are expected to be valuable to the system owner. In this case, the ransomware installs itself, then identifies and individually encrypts those valuable files.
In this process, it accesses the files, passes them through an encryption function, and then stores the resulting encrypted copies in their place. Again, the ransomware has now obviously accessed any PHI on the infected system and will access it again when the original patient data is reconstituted after the ransom has been paid.
In April of 2014, the FBI released a report where they set the value of a stolen medical record at approximately $50. Last year, National Public Radio reported on the value of stolen medical records and highlighted a dealer selling them for roughly $470/record.
In contrast, the monetization of these infected systems through ransomware is currently around $500 an attack. With this kind of access to records and a Bitcoin-enabled anonymous transaction engine, it is predictable, if not expected, that the same attacks will evolve to take advantage of this additional value via a two-phase collection.
First, ransom will be demanded to make the system and data accessible to the rightful owner so that healthcare can be provided. Second, the accessed records will be put up for sale on the dark web, ultimately exposing the patients’ healthcare information.
This question of breach disclosure matters because underreporting makes it difficult to create a balanced solution to any complex and costly issue. We are at a tipping point with ransomware, and appropriate disclosure is critical to informed preparation and prevention.
We need to get a handle on the actual spread and cost of these attacks so that organizations can justify investments to prevent infection, and so that legislators and law enforcement agencies will see clearly the enormous risk that ransomware poses.
Jack Danahy is co-founder and CTO of the endpoint security company Barkly. A 25-year-veteran in the security industry, Danahy was the founder and CEO of two successful security companies: Qiave Technologies, acquired by Watchguard Technologies in 2000, and Ounce Labs, acquired by IBM in 2009.