“The FBI has reported an increase in ransomware attacks and media have reported a number of ransomware attacks on hospitals” and as a result the Office for Civil Rights (OCR) for the US Department of Health & Human Services (HHS) issued a Fact Sheet and report on July 11, 2016 entitled “Your Money or Your PHI: New Guidance on Ransomware.” The OCR made it clear that if the Covered Entity properly encrypts the ePHI (electronic Protected Health Information) then the Ransomware cannot really create any threat of HIPAA violation which was explained in answering Question #8 entitled “Is it a reportable breach if the ePHI encrypted by the ransomware was already encrypted to comply with HIPAA?” as follows assuming the ePHI is:
…encrypted by the entity in a manner consistent with the Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals such that it is no longer “unsecured PHI,” then the entity is not required to conduct a risk assessment to determine if there is a low probability of compromise, and breach notification is not required.
The OCR Fact Sheet explained the rules regarding Ransomware for HIPAA concerning these 8 questions:
SC Magazine reported that the OCR issued the Ransomware guidelines as a result of a June 2016 letter request of US Representatives Ted Lieu (California) and Will Hurd (Texas) urging HHS “to develop ransomware guidelines.”