When Do Ransomware Attacks Require Breach Notification?OCR's Deven McGraw Explains the Requirements Under HIPAA
Most - but not all - ransomware attacks against healthcare organizations are reportable breaches requiring notification to affected individuals and federal regulators, explains Deven McGraw, deputy director of health information privacy at the Department of Health and Human Services' Office for Civil Rights.
Although OCR - the agency that enforces HIPAA - issued guidance on the ransomware issue in July, confusion still exists among many covered entities and business associates about whether they need to provide breach notification to affected individuals and federal regulators about these attacks, which have been surging in the healthcare sector in recent months.
"The devil is always in the details with respect to whether or not there is a need to notify because the low probability of compromise test is not met," McGraw says in a video interview at Information Security Media Group's recent Healthcare Security Summit in New York. "But the presumption is notification is required. The low probability of compromise is just a determination of whether you don't have to notify. In most circumstances, if the breach definition is met, which in many times in a ransomware attack it would be, then the presumption is to notify."
In the interview, McGraw also discusses:
- OCR's launch of remote "desk" HIPAA compliance audits of business associates this month and its plans to begin selected onsite audits for covered entities and BAs in the first quarter of 2017;
- The surge of cyberattacks in the healthcare sector;
- OCR's plans for guidance on texting and social media.
Before joining OCR, McGraw was a partner at the law firm Manatt, Phelps & Phillips LLP, where she co-chaired its privacy and data security practice. Earlier, she was director of the health privacy project at the Center for Democracy & Technology, a consumer advocacy group. For six years, McGraw served as an adviser to HHS on health data privacy and security issues. She served on the Health IT Policy Committee, which advises HHS' Office of the National Coordinator for Health IT, and co-led the committee's Privacy and Security Workgroup - previously called the Privacy and Security Tiger Team - as well as its Information Exchange Workgroup.