According to new guidelines issued by the United States Department of Health and Human Services (HHS), ransomware incidents in HIPAA regulated organizations are now classified as a data breach. HIPAA is the Health Insurance Portability and Accountability Act, that must be followed by any health care provider who transmits health information in electronic form. In America, with the use of electronic medical records, this means just about every health care provider.
To most security professionals, this is an unusual approach, as a data breach has previously indicated the exfiltration of data by an attacker. In fact, the Code of Federal Regulations defines a breach as “the acquisition, access, use, or disclosure of protected health information in a manner not permitted . . .”
Although there have been rumors of ransomware that steals data, there is still no proof of any such ransomware in the wild.
The HHS has codified a breach as the following:
“A breach has occurred because the Electronic Protected Health Information (ePHI) encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information). . .”
In a parenthetical statement, the HHS has memorialized the act of encrypting data as “control” of the information. I would hope that this new classification will have many scratching their heads, wondering, “If I have good backups, then the control is mitigated.” (Failure to protect data is also a violation of HIPAA rules.)
In fairness to the Department of Health and Human Services, the new guidelines also allow an organization to demonstrate that there is a “low probability that the Protected Health information has been compromised,” however, the 4-step risk assessment is geared more towards a general malware outbreak, rather than a ransomware event.
Ransomware simply does not work the way the authors of the new HHS guidelines have implied. Even in a targeted attack, the ransomware authors are not seeking to use any of the data that is encrypted; they are after the value of the target getting back in operation. In random ransomware events, the attacker simply fires up the spam-generating engine and hope for some bites on their phishing lures.
Ransomware is a lucrative business. One strain has been reported to cost victims over $18 million in one year. Ransomware criminals do not have to waste their time trying to fence stolen data.
The greatest concern with this new breach classification is that it can spread to other regulations, and eventually find its way into the general practice of corporate risk officers.
Nothing could be more wasteful of a security team’s time than explaining that no data was stolen every time a piece of ransomware is detected.
Of course, the best protections against ransomware remain the same:
- A layered defense;
- Good backups that are stored offline and regularly tested;
- Security awareness training for all staff;
- Access controls;
- Vulnerability assessments and penetration testing (including hunt team exercises);
- Maintaining a patch management strategy.