What happens when your healthcare data is stolen or held for ransom? It depends

Hospitals are reluctant to disclose attacks, and regulations don't offer clear advice about what to tell patients.

Why cybersecurity is a big problem for small businesses Cybersecurity attacks can cripple small businesses that aren't prepared. TechRepublic's Karen Roby talks with a security expert about ransomware, phishing attacks, and inadequate IT defense plans.

Cyberattacks on doctor's offices and hospitals are on the rise. Healthcare records are worth much more than a credit card number or Social Security number-- $250 per record vs. $5.40 for a number.

In the 2019 Travelers Risk Index, healthcare executives named cybersecurity as a top concern. The survey also found that executives are taking some steps to defend against these attacks: About half of the people surveyed had purchased cyber insurance and had written a business continuity plan. Only 34% have simulated a cyber breach to identify areas of system vulnerability.

SEE: Disaster recovery and business continuity plan (TechRepublic Premium)

Deciding whether to pay the ransom in a ransomware attack is only the first big decision to make. In the immediate aftermath of an attack, healthcare executives have to determine how state and federal rules apply to the data breach. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides some guidance and each state has its own set of laws. 

Healthcare leaders also must decide how to announce the fact that an attack has happened as well as decide how much to tell employees and patients. The decision to announce a breach is not as clear cut as it should be. 

TechRepublic contacted 15 of the biggest healthcare organizations in America to ask about their policies for managing data breaches and communicating breaches to patients and employees. 

One hospital replied, "No comment." The rest had nothing to say at all about these policies.

MonsterCloud CEO Zohar Pinhasi said his firm has seen an increase in calls from healthcare companies of up to 500% over the last few months. Because hospitals and other providers don't want to admit to losing control of their data, organizations don't disclose the attack.

"When it comes to ransomware, everyone is embarrassed, and no one wants to talk," he said.

As data breaches become a reality and not simply a worry, healthcare executives need to do more to prepare for a breach. Here is a look at what federal and state laws require as well as how to inform the public about a breach.

HIPAA and data breaches

Individual HIPAA rules cover privacy, security, and breach notification. Disclosure requirements depend on how many people are affected by a breach. If less than 500 people are affected, healthcare providers can announce the breach in one annual report. If more than 500 people are affected, the hospital or other provider has to publish a press release within 60 days. 

HIPAA notification rules assume protected health information has been exposed, not simply seized. In theory, most ransomware doesn't risk the release of that information, only the availability of it, as Allan Buxton of Secure Forensics points out.

"Although they mandate an investigation into a ransomware incident, HIPAA guidelines currently leave it up to the agency to determine if notification is necessary," he said.

Mary Hildebrand, chair of the Privacy & Cybersecurity practice at Lowenstein Sandler, said a ransomware attack is generally considered a data breach under HIPAA because it is an unauthorized disclosure of ePHI. In a ransomware attack, eEPHI is encrypted by the perpetrators who demand money, bitcoin, or some other valuable consideration for delivering a key to unlock the data.  

"OCR argues that ePHI was acquired during the encryption process, unless the covered entity that was attacked can prove otherwise," she said. "As any healthcare organization that has wrestled with this issue can tell you, this is a high bar to meet."

Chris Duvall, senior director at The Chertoff Group, said that companies must balance the potential for financial and reputational harm with legal and regulatory reporting requirements. Duvall said the legal requirements for disclosure are not always clear.  
"In addition, in some cases, US government agencies can treat those that are breached more like criminals than victims, especially if the agency perceives the organization's security capabilities were ineffectual," he said.
At a state level, laws regarding data breaches vary dramatically, basically requiring healthcare organizations to have a state-by-state approach for disclosing breaches. Most -- but not all--states require healthcare organizations to notify the attorney general or other state agency about breaches. Only 18 states set a specific time frame for notifying people whose data has been exposed. Just five states require notification when data has been accessed but not exposed.

Telling patients and employees

Vince Galloro of Sunrise Health Communications said that healthcare organizations should disclose a breach immediately even in cases where federal and state laws do not require public disclosure.

"The organization still needs to communicate with its stakeholders and the wider public about the impacts of the attack, even if it cannot describe the attack in any detail," he said. "Communication leaders in healthcare organizations should prepare a roadmap for responding to both of these situations – before they occur. "

Professor Mohammad Nejad, an associate professor of marketing at Fordham University, said that healthcare organizations have ethical responsibilities to patients as well as business reasons to disclose a breach as soon as possible. 

"This is a very unfortunate event which will lead to all stakeholders' distrust in the company, the leadership, and the employees," he said. "The more the firm is transparent and provides information, the more control they will have on the spread of negative word-of-mouth."

Hildebrand said that the question is not what to tell employees and patients, but also when and how. She recommends keeping messages brief, factual, and timely.
"Do not disclose any information that is not necessary for them to know," she said. "There will be multiple messages as solutions are implemented." 
Buxton said he would err on the side of disclosure, especially if patient data is rendered irretrievable, but only after the incident investigation is completed and the full ramifications are known.

The key-- no surprise --is to be prepared. 

"If, for example, an organization is able to execute a disaster recovery plan that includes data back-ups, applications, infrastructure/cloud capacity, and appropriately skilled staff, there are viable realistic alternatives to simply paying up," Hildebrand said.

Also see

screen-shot-2019-11-12-at-2-33-40-pm.png

Law firm Baker & Hostetler has a map that shows how state laws regulate data breaches of healthcare information. 

Image: Baker & Hostetler