Well, it is now official: a “ransomware” event constitutes a HIPAA Breach according to the HHS Office for Civil Rights, the agency responsible for determining such things. "When electronic protected health information is encrypted as the result of a ransomware attack, a breach has occurred," the HHS guidance states.

There is one exception, if the data had already been encrypted by the organization itself, and the hackers who got access to it would not have been able to do anything with it. This also depends on the type and level of encryption, so there is definitely not an absolute safe harbor scenario for just encrypting.
The guidance makes clear that a ransomware attack usually results in a “breach” of healthcare information under the HIPAA Breach Notification Rule. Under the Rule, entities experiencing a breach of electronic protected health information (ePHI) must notify individuals whose information is involved in the breach, HHS, and, in some cases, the media, unless the entity can demonstrate and document that there is a “low probability” that the information was compromised.

The recent ransomware attack that happened to the Hollywood Presbyterian Medical Center would be considered a HIPAA breach. So in addition to the $17,000 ransom they paid, the hospital would now be on the hook for the significant costs of informing all the clients whose data was breached along with all the other HIPAA notification requirements and potential fines that come with a breach. So, the actual ransom might often be a small drop in the bucket in terms of the overall cost of a ransomware attack.

Even though this ruling is specific to HIPAA compliance regarding ePHI, if your organization is working in a regulated environment (such as financial services), it would be prudent to expect that other regulatory bodies will adopt the same view of ransomware in terms of considering it a data breach. So just because you are not in healthcare, don’t think that you are off the hook.

Although DeviceLock does not position itself specifically in the actual ransomware/malware prevention market, our solution can certainly mitigate the threats of malware and ransomware introduction if used in a “least privilege” approach to access policy as recommended. When you are looking at strategies and technologies to block ransomware, you have to look at all the potential threat vectors with a particular emphasis on endpoints, since this has been shown to be the most likely place to launch an attack.

Regarding ransomware, DeviceLock is able to contextually block several common inbound avenues for ransomware and other malware at the computer endpoint layer. DeviceLock provides control over the peripheral ports, device media such as USB drives, and block some common network-facing applications (i.e. cloud services, webmails, instant messengers, FTP, Torrents, etc.) that can be accessed at an endpoint computer as well as controlling the types of files that can be accessed from removable media, chat sessions, and more. As malware/ransomware files are generally some form of “executable” or a file hidden in zipped or compressed “archives”, DeviceLock can block read and write access to these file type binaries regardless of the actual file type display name the hackers use.