On June 27th, Nuance Communications, which is a provider of voice recognition software, was hit by the Petya (or NotPetya)[1] ransomware virus, locking down their system.  A transcription service using the Nuance software, a business associate (BA) serving a number of our healthcare clients notified our clients that this attack had put the protected health information (PHI) of their covered entities at risk.  In fact, the Office for Civil Rights (OCR) has provided guidance to the effect that any ransomware attack is a breach, unless you can determine that the likelihood of inappropriate access to PHI is low, which is typically a difficult proposition.

With the advent of the HITECH Act, as of September 2013, covered entities (CEs) became responsible for breaches of their BAs.  Each practice or organization should be sure to have both a business associate agreement (BAA) in place, and have conducted due diligence to ensure their BAs are following the HIPAA regulations (more than just the BA saying they are compliant!).  BAs are any entity that you use who have access to PHI, to perform a function on your behalf.

The business associate is obligated to comply with all the relevant regulations under HIPAA and the HITECH Act.  In fact the Business Associate Agreement is really a contract where the BA explicitly agrees to comply with all the relevant regulations.

A little known fact is if you  “uncover any pattern of activity or practice by a business associate in violation of the Business Associate Agreement and if it fails to take reasonable steps to cure the breach, and if unsuccessful, terminate the contract if feasible[2]”

In this case the transcription service (our clients’ BA), took a noncommittal position stating that “that this has never happened before,” and they admitted that they have no Plan “B”, for an incident such as this.  This apathy over the cyberattack raises the specter that the BA is not compliant with regulations.  In this case, the BA should have conducted a risk analysis of the breach (required when a breach occurs) to determined what happened, the extent of the breach, if any.  A plan to remediate the cause of the breach much also be undertaken.  Additionally, the BA is required to investigate the breach, determine the size, determine the probability that there was inappropriate access to the PHI, determine if this is a reportable breach, and then notice the covered entity, as to who’s records had been breached.  In the event this is a reportable breach, all this information is required, for the covered entity to adequately report the reach, and defend itself from any investigations by the variety of regulatory agencies who may have regulatory oversite.

The HIPAA Security Rule has specific requirements that will aid in your fight against future ransomware attacks. These include:

1) Having a data backup plan. Test restoration processes to be sure they work.
2) Having a contingency plan which includes:

a. Disaster recovery planning (what happens if there is a cyber-intrusion? Or your server goes down?).
b. Emergency operations planning (in the advent your electronic PHI is unavailable, what is your backup plan?)
c. Analyzing the criticality of your applications and data to ensure all are accounted for (what is your most important data, where is it held, and how do you keep track of it?)
d. Periodically testing your contingency plans.

3) Be sure your workforce has regular security awareness training, with regular reminders. This should include how they can avoid malware and password management.
4) Have specific security incident procedures for cyber-intrusions.

The reality is many intrusions are caused by poor security procedures.  In the case of Petya (or NotPetya), those who were most vulnerable were those who did not update or patch their legacy software (in this case Windows XP).  Good cyberhealth can protect your data, so that you are not left with the task of reporting a breach of information to your patients, HHS, and in cases or breach of over 500 individuals, to local news media.

[1] There is an ongoing discussion that this latest Petya, is actually not a ransomware attack but rather may be an attack to destroy data masking itself as ransomware.  Therefor this variant is being described as NotPetya.

[2] § 164.504 (1)(e)(1)(ii)

[3] HHS.gov.  (n.d.).  FACT SHEET: Ransomware and HIPAA.  Retrieved from https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf