Legislators Urge OCR to Treat Ransomware Attacks as Breaches under HITECH Regulations | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Legislators Urge OCR to Treat Ransomware Attacks as Breaches under HITECH Regulations

July 1, 2016
by Heather Landi
| Reprints

At least two lawmakers are calling on federal regulators to treat ransomware attacks as breaches under the Health Information Technology for Economic and Clinical Health (HITECH) Act, and, in a letter, recommend guidance that “aggressively requires reporting of ransomware attacks to regulators.”

And, the lawmakers encourage regulators to require patient disclosures where denial of access to health records and/or health care services were negatively affected by a ransomware attack.

In a letter to Deven McGraw, Deputy Director of the Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS), Representatives Ted Lieu (D-Los Angeles County) and Will Hurd (R-San Antonio) call on OCR to recognize the differences with ransomware attacks compared to conventional data breaches and encourage the “timely issuance of proposed guidance to address these differences.”

In the letter, Hurd and Lieu refer to HHS’ recent announcement that the agency would issue guidance to help provider organizations understand how to react in the event of a ransomware attack and establish a protocol for risk assessment, response and reporting to comply with the Health Insurance Portability and Accountability Act (HIPAA) and HITECH.

However, in the letter, the legislators point out issues that differentiate ransomware from conventional hacking. “Just because a ransomware attack qualifies as a conventional breach, that does not mean they should be treated the same or subject to the exact same risk assessment,” the lawmakers wrote.

One difference, they point out, is that rather than viewing or stealing protected health information (PHI), which infringes the privacy rights of patients, ransomware denies access to health records or information technology functions that enable the provider to offer healthcare services.

“In the case of ransomware attack, the threat is not usually to privacy, but typically to operational risks to health systems and potential impacts on patient safety, and service. Ransomware that denies access to health records or functions essential to providing health care services may create a threat to the safety of the affected patient,” the lawmakers wrote, and referred specifically to the ransomware attack at MedStar Health in March. “The recent ransomware attack on MedStar resulted in patients being turned away due to the inability to provide care.”

The lawmakers further wrote, “If the provider or other party providing care would be either unable to care for the patient or unable to provide information critical to the care for the person, swift patient notification is paramount, but if the ransomware does not affect patient safety then patient notification may be unnecessary,” Lieu and Hurd wrote.

They suggest that patient notification would only make sense in cases where the ransomware attack results in either a denial of access to an electronic medical record and/or loss of functionality necessary to provide medical services. “In such cases, the notification should be made to affected parties without unreasonable delay following the discovery of a breach, and, if applicable, to restore the reasonable integrity of the system compromised, consistent with the needs of law enforcement and any measures necessary for organizations to determine the scope of the breach.”

The lawmakers also encourage “rapid and mandatory notification of government agencies and shared cyber-response resources.”

“In order to learn how to defeat these attacks and ensure that the attack cannot be repeated, it will be crucial to ensure both the government through the United Stated Computer Emergency Readiness Team (US-CERT) and healthcare based Information Sharing and Analysis Organizations (ISAOs), such as the NH-ISAC, and other private sector organizations that share cyber threat information know details about ransomware attacks as soon as the information becomes available,” they wrote.

“Therefore, we recommend guidance that aggressively requires reporting of ransomware attacks to HHS and appropriate healthcare-related ISAOs.”

As required by the HITECH Act, the HHS Secretary must post a list of breaches of unsecure protected health information affecting 500 or more individuals.

The lawmakers also point out that since ransomware does not always involve viewing or stealing personal health information, “requiring a provider to offer credit counseling services may be an unnecessary expense.”

And, Lieu and Hurd urge OCR to include clear guidance related to data modification from ransomware or malware attacks, including deletion of entire servers or drives that constitute a breach under HITECH. “We assert that destruction of records is the same as accessing them and has a similar impact to an organization,” they wrote.

Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More



Boston Children's Accelerates Data-Driven Approach to Clinical Research

In an effort to bring a more data-driven approach to clinical research, Boston Children’s Hospital has joined the TriNetX global health research network.

Paper Records, Films Most Common Type of Healthcare Data Breach, Study Finds

Despite the high level of hospital adoption of electronic health records and federal incentives to do so, paper and films were the most frequent location of breached data in hospitals, according to a recent study.

AHA Appoints Senior Advisor for Cybersecurity and Risk

The American Hospital Association (AHA) has announced that John Riggi has joined the association as senior advisor for cybersecurity and risk.

Report: Healthcare Accounted for 45% of All Ransomware Attacks in 2017

Healthcare fell victim to more ransomware attacks than any other industry in 2017, according to a new report from global cybersecurity insurance company Beazley.

Study: Use of EHRs Does Not Reduce Administrative Costs

A recent study by Duke University and Harvard Business School researchers found that costs for processing a single bill ranged from $20 for a primary care visit to $215 for an inpatient surgical procedure, or up to 25 percent of revenue.

Kibbe to Step Down as CEO of DirectTrust

David Kibbe, M.D., M.B.A., announced he would step down as president and CEO of DirectTrust at the end of the year.