Although ransomware attacks pummeled the healthcare industry in 2016 -- breach reporting for ransomware was abysmal. Unfortunately, there are more than a few tough consequences to that kind of behavior.

There were 27 million patient records stolen in 450 separate data breaches that year, with 27 percent of these caused by ransomware, hacking or malware, according to the 2016 Protenus healthcare data report. But only nine organizations reported malware or ransomware breaches to the U.S. Department of Health and Human Services’ Office of Civil Rights in 2016. 

[See them all: 10 stubborn cybersecurity myths, busted]

While failure to disclose these attacks may be attributed to the vague nature of HIPAA’s breach reporting guidelines, OCR amended these rules last summer. Now, the burden of proof is on the provider to demonstrate a hacker didn’t gain access to patient data during an attack.

“OCR guidance is very clear on what the HIPAA Breach Notification Rule requires in the event of a ransomware attack,” said Steven Gravely, partner with Troutman Sanders. “I don’t think that there is any ambiguity in the OCR guidance.”

So, what’s the harm with not reporting if an organization can decrypt the data or pay the ransom to regain access? A lot.

“You can try to sweep it under the rug, and there are organizations that certainly try. But it’s a bad practice,” said CynergisTek CEO Mac McMillan. “With a ransomware attack, it means someone has compromised your environment due to a weakness -- and they’ve exploited it.”

For McMillan, skirting the issue after a ransomware attack can have multiple negative impacts -- the biggest is on staff.

“Your staff will recognize what you’ve done, and it will affect their confidence in whether your organization takes security seriously,” he said. “The message you’re sending to staff is that security is not important.”

Another issue is with organizations that pay to get the data back, although both the FBI and the U.S. Department of Health and Human Services have repeatedly warned against this method.

McMillan explained that criminals on the dark web talk to each other, and once an organization pays to regain access, the criminal who hit the organization will most likely spread the word to others with nefarious intent. 

In fact, according to McMillan, there are lists out there of these organizations on the dark web.

Further, an organization can’t just pay the ransom, patch the flaw and move on without a real assessment.

Take, for example, Peachtree Neurological Clinic: In July, its forensic team found a 15-month breach during an investigation on a separate ransomware attack. Had it simply paid the ransom or decrypted the files and moved on -- Peachtree might still be dealing with an unknown hack.

Lastly, while ransomware’s key function is to lock the users out of its data, there’s a common misconception that the hacker can’t or won’t have access to patient records during the attack.

“By definition, the ransomware attacker has obtained unauthorized access to the PHI by the act of encrypting it,” Gravely said. “In many instances, the attacker retains the data and sells it on the black market even if the ransom is paid and access to the target system is restored. These are the reasons why OCR guidance advises that any ransomware attack is presumed to be a reportable breach.”

“Everyone can have an incident, and everyone gets that,” said McMillan. “The difference is a smart organization has the right response, informs those who need to be informed and does what needs to be done. They fare much better with the people they serve, regulators -- the whole nine yards.”

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com