The Office for Civil Rights OCR seems to consider all ransomware events a breach unless proven otherwise. This is because successful ransomware incidents affect all three aspects of data security (Confidentiality, Integrity, and Availability). Specifically:
- Confidentiality: Ransomware gained access to your data and encrypted it. This unuathorized access violated the confidentiality.
- Integrity: Once a threat actors gains access to your data and encrypts is, it is very difficult to maintain and restore the integrity of that data. Many new strands of ransomware start deleting data or corrupt first few bits of files to "pretend" encrypted state.
- Availability: This is an easy one. Data isn't available when encrypted by an intruder.
There are however ways to prove that the data is still safe and this isn't a breach. Organizations needs to look at following:
- Confidentiality - Data exflitration - did the ransomware send any data back to its command and control center?
- Integrity - New strands of Locky, Pokemon, and other ransomware actually either delete data or modify part of it. This results in loss of integrity. Done to a single machine that was quickly imaged/replaced? No issue in my opinion. However, if this resulted in an outage or EHR, "Houston! we have a problem."
- Availability of data/systems - Did the ransomware result in delay in patient care? One or two workstations wouldn't be a problem because that can be quickly remediated. However, if whole department had to go to paper, we may need to give it a second look.
Specifically, OCR Fact Sheet provides following four investigation steps (at minimum) to determine if there was a breach:
- The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
- The unauthorized person who used the PHI or to whom the disclosure was made
- Whether the PHI was actually acquired or viewed
- The extent to which the risk to the PHI has been mitigated
In meantime, backup, backup, backup. It is always a good strategy to have offline backups. In addition, test your backups manually. We have become too reliant on machines and machines can be corrupted.