[ Friday, November 30, 2018 ]
This is important, and in my (personal, non-legal) opinion an important piece of news relative to one of the biggest issues affecting HIPAA covered entities.
Jeff [12:20 PM]
The FBI has gotten specific about one of the current strains of ransomware that is plaguing the healthcare industry. Of specific importance to note in the HIPAA arena is the fact that this variant apparently simply encrypts the data it finds, and does not extract, view, or send out the data. That's very important to a ransomware victim, since despite what OCR's guidance has been to date, if there's no viewing or outside transmission of the data, there is not a "breach" as defined in the Breach Notification Rule (45 CFR 164, part D).
To be a "breach," there must be acquisition, access, use, or disclosure. In this type of ransomware, the bad actor inserts virus software onto the computer system of the actor, but the bad actor does not access the data. Any access only happens within the victim's computer system, by the software that is now part of that computer system. If the virus then send out some of that data that includes PHI to a third party, THEN you'd have acquisition by the third party, access by the third party, and disclosure to the third party, all of which WOULD be a breach. Likewise, if the virus opens up a door that allows outside third parties to enter the system, and third parties do enter the system, you'd have access and disclosure, which would likely lead to acquisition and use. However, if the virus does not exfilitrate or allow outside access, then you do not have acquisition, access, use or disclosure.
This is an important distinction.
This is also not legal advice.
Blogger: HIPAA Blog - Edit your Template