I am always counseling my clients to be careful in their use of the term "breach." (I call it the "B Word"). The reason for such caution is because the term "breach" has a very specific meaning and associated obligations under both U.S. state law, and federal law (i.e., HIPAA). With its recent guidance on ransomware, the Department of Health and Human Services ("HHS") has expanded what constitutes a breach under the Health Insurance Portability and Accountability Act ("HIPAA"), and in doing so, provides a reminder to all of us that security is not just keeping information "private" and from being viewed by an unauthorized party.
What's New: Ransomware Now Triggers "Breach" under HIPAA. Last month, the HHS issued Fact Sheet stating that a security incident involving "ransomware," such as crypto lockers, qualifies as a "breach" under HIPAA’s Data Breach Rule (45 C.F.R. §160.402 et. seq.) To the average viewer of the evening news (yes, they still exist), this might make sense and seem reasonable. If a bad guy was able to take control of your PC, lock it down or otherwise make unavailable information on that PC, a layperson watching the news might say, "sure, that is a breach."
But is it a security breach? For example, if I launch a malware attack on your system which encrypts all the protected health information ("PHI") on your system without my retrieving that data and looking at it in return for a ransom, have I breached the security of the PHI? Many would say no as the information was never taken from the system or viewed by an unauthorized person. This is not an uncommon assessment. The confidentiality or privacy of the information may not have been breached in such a crypto locker attack. However, the security of the information may have been compromised. Under HIPAA, a breach is "the acquisition, access, use or disclosure of PHI in a manner not permitted under the Privacy Rule which compromises the security or privacy of the PHI." (Emphasis added).
Thus, under HIPAA, whether someone sees the information or not is not the only aspect of a security analysis. In its ransomware Fact Sheet, HHS expands on the Rule's comprehensive view of security, specifically that a breach of security includes any loss of information control, integrity or access. HHS states "when electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a "disclosure" not permitted under the HIPAA Privacy Rule." By losing control of or access to the protected health information, the covered entity has "disclosed" the PHI and suffered a breach.
What's Not New: Fact-Specific Risk "LoProCo Assessments" Provide Balance. Fortunately, even for the most hardcore who want to split hairs on whether security has truly been breached or those who demand notice for every single security "breach," nothing has really changed in determining whether a breach exists or notice is required. Indeed, the HIPAA Data Breach Rule itself acknowledges that not all "breaches" are the same, and therefore do not all require notice to individuals and regulators. As I've shared before, HIPAA provides for a specific Low Probability of Compromise Risk Assessment, or "LoProCo" analysis that enables a covered entity to do a fact-specific analysis of whether a breach will result in a compromise of the PHI involved. It is in this analysis that you can determine if unsecured information was indeed taken, viewed, or used in a way that might compromise the that information or otherwise bring harm to the subject of the information. If such an analysis finds a low probability of compromise, then notice may not be required. That said, in its Fact Sheet, the HHS has provided additional commentary to supplement its existing LoProCo requirements, stating that breaches involving ransomware should include an evaluation of the ransomware to determine the exact type and variant of malware discovered, the algorithmic steps undertaken by the malware and whether or not the malware propagated to other systems, and this could help organizations with the risk assessment process.
Other than some helpful guidance on the specifics of ransomware risk, I do not think there is much new to see here with the HHS announcement other than a reminder that security is much more than just keeping information private. Security is also about maintaining information integrity, accessibility, and control. And breach? Be it ransomware, a "sophisticated" cyber-attack (aren't they all sophisticated?) or a lazy employee propping open the door on a hot August afternoon—security breaches happen. The question is WHEN and are you READY?
