Ransomware Reporting Requirements & New HHS Guidance

27 July 2016 Health Care Law Today Blog

Ransomware is malicious software that denies access to data, usually by encrypting the data with a private encryption key that is only provided once a ransom is paid. Sometimes the ransomware will actually destroy, steal, or export data from information systems.

Ransomware has become a significant threat to all U.S. businesses and individuals, and a particularly dangerous threat to those in health care. Ransomware victims are not only at risk of losing their files or suffering from a data breach, but may also experience financial loss due to paying the ransom, loss of productivity, IT services, legal fees, network countermeasures, and the purchase of credit monitoring services for employees or customers if their information was referenced in the encrypted files. In health care, the consequences can be far more serious— protected health information can be lost, destroyed, or shared with malicious actors, patient treatment can be delayed, and lives could even be lost as a result of systems being locked down by malicious actors.

Due to the significant uptick of ransomware attacks and its particularly powerful threat to the health care industry, The Federal Health and Human Services Department (HHS) issued a fact sheet, available here, that provides guidance on ransomware issues and notes that hospitals and doctor offices may be required to notify HHS if they are a victim of ransomware. As it notes, “The presence of ransomware (or any malware) on a covered entity’s or business associate’s computer systems is a security incident under the HIPAA Security Rule. . . . Once the ransomware is detected, the covered entity or business associate must initiate its security incident and response and reporting procedures. See 45 C.F.R. 164.308(a)(6).”

For more information, please contact the author at alosey@foley.com.

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.

Related Services