RANSOMWARE AND THE PARAMOUNT IMPORTANCE OF EVIDENCE PRESERVATION FOR HEALTHCARE ENTITIES

Organizations regulated by the Healthcare Information Privacy and Accountability Act (HIPAA) must take special care to preserve valuable forensic artifacts at the outset of a ransomware or other cybersecurity event. The HIPAA Breach Notification Rule presumes a cybersecurity incident has resulted in unauthorized access to unsecured protected health information and the burden shifts to the organization to show a low probability of the compromise of the health information it maintains. Guidance from the Department of Health and Human Services Office for Civil Rights, the federal entity charged with enforcement of HIPAA, provides that the encryption of protected health information by ransomware per se constitutes an unauthorized disclosure of protected health information triggering the Breach Notification Rule. Consequently, the preservation of forensic evidence capable of disproving the unauthorized access or acquisition of protected health information is paramount and should be undertaken at the outset of the response to any cybersecurity incident, especially ransomware. Breach notification is extremely costly in time, money, and goodwill. Any time and money lost during the operational downtime required to preserve forensic evidence in order to rule out access to protected health information is significantly lower than the costs of notification.