At least two lawmakers are calling on federal regulators to treat ransomware attacks as breaches under the Health Information Technology for Economic and Clinical Health (HITECH) Act, and, in a letter, recommend guidance that “aggressively requires reporting of ransomware attacks to regulators.”
And, the lawmakers encourage regulators to require patient disclosures where denial of access to health records and/or health care services were negatively affected by a ransomware attack.
In a letter to Deven McGraw, Deputy Director of the Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS), Representatives Ted Lieu (D-Los Angeles County) and Will Hurd (R-San Antonio) call on OCR to recognize the differences with ransomware attacks compared to conventional data breaches and encourage the “timely issuance of proposed guidance to address these differences.”
In the letter, Hurd and Lieu refer to HHS’ recent announcement that the agency would issue guidance to help provider organizations understand how to react in the event of a ransomware attack and establish a protocol for risk assessment, response and reporting to comply with the Health Insurance Portability and Accountability Act (HIPAA) and HITECH.
However, in the letter, the legislators point out issues that differentiate ransomware from conventional hacking. “Just because a ransomware attack qualifies as a conventional breach, that does not mean they should be treated the same or subject to the exact same risk assessment,” the lawmakers wrote.
One difference, they point out, is that rather than viewing or stealing protected health information (PHI), which infringes the privacy rights of patients, ransomware denies access to health records or information technology functions that enable the provider to offer healthcare services.
“In the case of ransomware attack, the threat is not usually to privacy, but typically to operational risks to health systems and potential impacts on patient safety, and service. Ransomware that denies access to health records or functions essential to providing health care services may create a threat to the safety of the affected patient,” the lawmakers wrote, and referred specifically to the ransomware attack at MedStar Health in March. “The recent ransomware attack on MedStar resulted in patients being turned away due to the inability to provide care.”
The lawmakers further wrote, “If the provider or other party providing care would be either unable to care for the patient or unable to provide information critical to the care for the person, swift patient notification is paramount, but if the ransomware does not affect patient safety then patient notification may be unnecessary,” Lieu and Hurd wrote.
They suggest that patient notification would only make sense in cases where the ransomware attack results in either a denial of access to an electronic medical record and/or loss of functionality necessary to provide medical services. “In such cases, the notification should be made to affected parties without unreasonable delay following the discovery of a breach, and, if applicable, to restore the reasonable integrity of the system compromised, consistent with the needs of law enforcement and any measures necessary for organizations to determine the scope of the breach.”
The lawmakers also encourage “rapid and mandatory notification of government agencies and shared cyber-response resources.”
“In order to learn how to defeat these attacks and ensure that the attack cannot be repeated, it will be crucial to ensure both the government through the United Stated Computer Emergency Readiness Team (US-CERT) and healthcare based Information Sharing and Analysis Organizations (ISAOs), such as the NH-ISAC, and other private sector organizations that share cyber threat information know details about ransomware attacks as soon as the information becomes available,” they wrote.
“Therefore, we recommend guidance that aggressively requires reporting of ransomware attacks to HHS and appropriate healthcare-related ISAOs.”
As required by the HITECH Act, the HHS Secretary must post a list of breaches of unsecure protected health information affecting 500 or more individuals.
The lawmakers also point out that since ransomware does not always involve viewing or stealing personal health information, “requiring a provider to offer credit counseling services may be an unnecessary expense.”
And, Lieu and Hurd urge OCR to include clear guidance related to data modification from ransomware or malware attacks, including deletion of entire servers or drives that constitute a breach under HITECH. “We assert that destruction of records is the same as accessing them and has a similar impact to an organization,” they wrote.