Legislators Urge OCR to Treat Ransomware Attacks as Breaches under HITECH Regulations | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Legislators Urge OCR to Treat Ransomware Attacks as Breaches under HITECH Regulations

July 1, 2016
by Heather Landi
| Reprints

At least two lawmakers are calling on federal regulators to treat ransomware attacks as breaches under the Health Information Technology for Economic and Clinical Health (HITECH) Act, and, in a letter, recommend guidance that “aggressively requires reporting of ransomware attacks to regulators.”

And, the lawmakers encourage regulators to require patient disclosures where denial of access to health records and/or health care services were negatively affected by a ransomware attack.

In a letter to Deven McGraw, Deputy Director of the Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS), Representatives Ted Lieu (D-Los Angeles County) and Will Hurd (R-San Antonio) call on OCR to recognize the differences with ransomware attacks compared to conventional data breaches and encourage the “timely issuance of proposed guidance to address these differences.”

In the letter, Hurd and Lieu refer to HHS’ recent announcement that the agency would issue guidance to help provider organizations understand how to react in the event of a ransomware attack and establish a protocol for risk assessment, response and reporting to comply with the Health Insurance Portability and Accountability Act (HIPAA) and HITECH.

However, in the letter, the legislators point out issues that differentiate ransomware from conventional hacking. “Just because a ransomware attack qualifies as a conventional breach, that does not mean they should be treated the same or subject to the exact same risk assessment,” the lawmakers wrote.

One difference, they point out, is that rather than viewing or stealing protected health information (PHI), which infringes the privacy rights of patients, ransomware denies access to health records or information technology functions that enable the provider to offer healthcare services.

“In the case of ransomware attack, the threat is not usually to privacy, but typically to operational risks to health systems and potential impacts on patient safety, and service. Ransomware that denies access to health records or functions essential to providing health care services may create a threat to the safety of the affected patient,” the lawmakers wrote, and referred specifically to the ransomware attack at MedStar Health in March. “The recent ransomware attack on MedStar resulted in patients being turned away due to the inability to provide care.”

The lawmakers further wrote, “If the provider or other party providing care would be either unable to care for the patient or unable to provide information critical to the care for the person, swift patient notification is paramount, but if the ransomware does not affect patient safety then patient notification may be unnecessary,” Lieu and Hurd wrote.

They suggest that patient notification would only make sense in cases where the ransomware attack results in either a denial of access to an electronic medical record and/or loss of functionality necessary to provide medical services. “In such cases, the notification should be made to affected parties without unreasonable delay following the discovery of a breach, and, if applicable, to restore the reasonable integrity of the system compromised, consistent with the needs of law enforcement and any measures necessary for organizations to determine the scope of the breach.”

The lawmakers also encourage “rapid and mandatory notification of government agencies and shared cyber-response resources.”

“In order to learn how to defeat these attacks and ensure that the attack cannot be repeated, it will be crucial to ensure both the government through the United Stated Computer Emergency Readiness Team (US-CERT) and healthcare based Information Sharing and Analysis Organizations (ISAOs), such as the NH-ISAC, and other private sector organizations that share cyber threat information know details about ransomware attacks as soon as the information becomes available,” they wrote.

“Therefore, we recommend guidance that aggressively requires reporting of ransomware attacks to HHS and appropriate healthcare-related ISAOs.”

As required by the HITECH Act, the HHS Secretary must post a list of breaches of unsecure protected health information affecting 500 or more individuals.

The lawmakers also point out that since ransomware does not always involve viewing or stealing personal health information, “requiring a provider to offer credit counseling services may be an unnecessary expense.”

And, Lieu and Hurd urge OCR to include clear guidance related to data modification from ransomware or malware attacks, including deletion of entire servers or drives that constitute a breach under HITECH. “We assert that destruction of records is the same as accessing them and has a similar impact to an organization,” they wrote.

Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More



Advocate Aurora Health, Foxconn Plan Employee Wellness, “Smart City,” and Precision Medicine Collaboration

Wisconsin-based Advocate Aurora Health is partnering with Foxconn Health Technology Business Group, a Taiwanese company, to develop new technology-driven healthcare services and tools.

Healthcare Data Breach Costs Remain Highest at $408 Per Record

The cost of a data breach for healthcare organizations continues to rise, from $380 per record last year to $408 per record this year, as the healthcare industry also continues to incur the highest cost for data breaches compared to any other industry, according to a new study from IBM Security and the Ponemon Institute.

Morris Leaves ONC to Lead VA Office of Electronic Health Record Modernization

Genevieve Morris, who has been detailed to the U.S. Department of Veterans Affairs (VA) from her position as the principal deputy national coordinator for the Department of Health and Human Services, will move over full time to lead the newly establishment VA Office of Electronic Health Record Modernization.

Cedars-Sinai Accelerator Program Presents Fourth Class of Startups

The Cedars-Sinai Accelerator, a program that helps entrepreneurs bring their innovative technology products to market, has brought in nine more health tech startups as part of its fourth class.

DirectTrust Adds Five Board Members

DirectTrust, a nonprofit organization that support health information exchange, announced the appointment of five new executives to its board of directors.

Analysis: Many States Continue to Have Restrictive Telemedicine Policies

State Medicaid programs are evolving to accelerate the adoption of telemedicine models, this evolution is occurring more quickly in some states than others, according to a recent analysis by Manatt Health.