Skip to content Skip to navigation

Legislators Urge OCR to Treat Ransomware Attacks as Breaches under HITECH Regulations

July 1, 2016
by Heather Landi
| Reprints

At least two lawmakers are calling on federal regulators to treat ransomware attacks as breaches under the Health Information Technology for Economic and Clinical Health (HITECH) Act, and, in a letter, recommend guidance that “aggressively requires reporting of ransomware attacks to regulators.”

And, the lawmakers encourage regulators to require patient disclosures where denial of access to health records and/or health care services were negatively affected by a ransomware attack.

In a letter to Deven McGraw, Deputy Director of the Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS), Representatives Ted Lieu (D-Los Angeles County) and Will Hurd (R-San Antonio) call on OCR to recognize the differences with ransomware attacks compared to conventional data breaches and encourage the “timely issuance of proposed guidance to address these differences.”

In the letter, Hurd and Lieu refer to HHS’ recent announcement that the agency would issue guidance to help provider organizations understand how to react in the event of a ransomware attack and establish a protocol for risk assessment, response and reporting to comply with the Health Insurance Portability and Accountability Act (HIPAA) and HITECH.

However, in the letter, the legislators point out issues that differentiate ransomware from conventional hacking. “Just because a ransomware attack qualifies as a conventional breach, that does not mean they should be treated the same or subject to the exact same risk assessment,” the lawmakers wrote.

One difference, they point out, is that rather than viewing or stealing protected health information (PHI), which infringes the privacy rights of patients, ransomware denies access to health records or information technology functions that enable the provider to offer healthcare services.

“In the case of ransomware attack, the threat is not usually to privacy, but typically to operational risks to health systems and potential impacts on patient safety, and service. Ransomware that denies access to health records or functions essential to providing health care services may create a threat to the safety of the affected patient,” the lawmakers wrote, and referred specifically to the ransomware attack at MedStar Health in March. “The recent ransomware attack on MedStar resulted in patients being turned away due to the inability to provide care.”

The lawmakers further wrote, “If the provider or other party providing care would be either unable to care for the patient or unable to provide information critical to the care for the person, swift patient notification is paramount, but if the ransomware does not affect patient safety then patient notification may be unnecessary,” Lieu and Hurd wrote.

They suggest that patient notification would only make sense in cases where the ransomware attack results in either a denial of access to an electronic medical record and/or loss of functionality necessary to provide medical services. “In such cases, the notification should be made to affected parties without unreasonable delay following the discovery of a breach, and, if applicable, to restore the reasonable integrity of the system compromised, consistent with the needs of law enforcement and any measures necessary for organizations to determine the scope of the breach.”

The lawmakers also encourage “rapid and mandatory notification of government agencies and shared cyber-response resources.”

“In order to learn how to defeat these attacks and ensure that the attack cannot be repeated, it will be crucial to ensure both the government through the United Stated Computer Emergency Readiness Team (US-CERT) and healthcare based Information Sharing and Analysis Organizations (ISAOs), such as the NH-ISAC, and other private sector organizations that share cyber threat information know details about ransomware attacks as soon as the information becomes available,” they wrote.

“Therefore, we recommend guidance that aggressively requires reporting of ransomware attacks to HHS and appropriate healthcare-related ISAOs.”

As required by the HITECH Act, the HHS Secretary must post a list of breaches of unsecure protected health information affecting 500 or more individuals.

The lawmakers also point out that since ransomware does not always involve viewing or stealing personal health information, “requiring a provider to offer credit counseling services may be an unnecessary expense.”

And, Lieu and Hurd urge OCR to include clear guidance related to data modification from ransomware or malware attacks, including deletion of entire servers or drives that constitute a breach under HITECH. “We assert that destruction of records is the same as accessing them and has a similar impact to an organization,” they wrote.



Halamka on MACRA Final Rule: “CMS is Listening and I Thank Them”

Health IT notable expert John Halamka, M.D., CIO of Beth Israel Deaconess Medical Center in Boston, recently weighed in on the Medicare Access and CHIP Reauthorization Act (MACRA) final rule.

Texas Patient Care Clinic Hit with Ransomware Attack

Grand Prairie, Texas-based Rainbow Children's Clinic was the victim of a ransomware attack on its IT systems in August, affecting more than 33,000 patients, according to multiple news media reports this week.

Healthcare Organizations Again Go to Bat for AHRQ

Healthcare organizations are once again urging U.S. Senate and House leaders to protect the Department of Health and Human Services’ Agency for Healthcare Research and Quality (AHRQ) from more budget cuts for 2017.

ONC Pilot Projects Focus on Using, Sharing Patient-Generated Health Data

Accenture Federal Services (AFS) has announced two pilot demonstrations with the Office of the National Coordinator for Health Information Technology (ONC) to determine how patient-generated health data can be used by care teams and researchers.

Is it Unethical to Identify Patients as “Frequent Flyers” in Health IT Systems?

Several researchers from the University of Pennsylvania addressed the ethics of behavioral health IT as it relates to “frequent flyer” icons and the potential for implicit bias in an article published in JAMA.

St. Joseph Health to Pay $2.14M in HIPAA Settlement

St. Joseph Health (SJH) has agreed to settle potential violations of the HIPAA privacy and security rules following reports that files containing sensitive health data were publicly accessible through Internet search engines from 2011 to 2012.