“A breach has occurred because the Electronic Protected Health Information (ePHI) encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information). . .”In a parenthetical statement, the HHS has memorialized the act of encrypting data as “control” of the information. I would hope that this new classification will have many scratching their heads, wondering, “If I have good backups, then the control is mitigated.” (Failure to protect data is also a violation of HIPAA rules.) In fairness to the Department of Health and Human Services, the new guidelines also allow an organization to demonstrate that there is a “low probability that the Protected Health information has been compromised,” however, the 4-step risk assessment is geared more towards a general malware outbreak, rather than a ransomware event. Ransomware simply does not work the way the authors of the new HHS guidelines have implied. Even in a targeted attack, the ransomware authors are not seeking to use any of the data that is encrypted; they are after the value of the target getting back in operation. In random ransomware events, the attacker simply fires up the spam-generating engine and hope for some bites on their phishing lures. Ransomware is a lucrative business. One strain has been reported to cost victims over $18 million in one year. Ransomware criminals do not have to waste their time trying to fence stolen data. The greatest concern with this new breach classification is that it can spread to other regulations, and eventually find its way into the general practice of corporate risk officers. Nothing could be more wasteful of a security team’s time than explaining that no data was stolen every time a piece of ransomware is detected. Of course, the best protections against ransomware remain the same:
- A layered defense;
- Good backups that are stored offline and regularly tested;
- Security awareness training for all staff;
- Access controls;
- Vulnerability assessments and penetration testing (including hunt team exercises);
- Maintaining a patch management strategy.