A powerful California congressman is pushing the federal government to treat ransomware attacks on medical facilities as data breaches and require notifications of patients.
The pressure is coming from Rep. Ted Lieu (D-Calif.) and follows comments from officials at the Department of Health and Human Services about the department’s plan to issue guidance to health care organizations about ransomware attacks. The Office for Civil Rights section of HHS, which has responsibility for health information privacy, will provide guidance on how to handle ransomware attacks, and Lieu is eager to ensure that the guidance specifically addresses how ransomware attacks relate to data breach regulations.
Ransomware typically is thought of as a consumer threat, encrypting victims’ files and demanding payments in order to get the decryption key. But more and more ransomware variants are targeting enterprises, as attackers have figured out that forcing large payments from one company is more efficient than squeezing smaller payments out of hundreds of individual victims. The SamSam ransomware variant, which has some worm-like behavior, has been seen attacking businesses specifically. A large-scale ransomware infection on a corporate network can have myriad consequences, but in a health-care organization it can have a variety of privacy and regulatory ramifications, too.
“We need to make clear that ransomware is not the same as conventional breaches”
Lieu, a frequent advocate of privacy and security issues, said it’s important that HHS address ransomware n the context of data breaches.
“I welcome the news of HHS providing guidance to health providers on a matter that threatens so many hospital IT systems. However, we need to make clear that ransomware is not the same as conventional breaches. The threat to patients from ransomware is typically due to the denial of access to their medical records and medical services. Not only could this be a threat to privacy, but it could result in medical complications and deaths if hospitals can’t access patient information,” Lieu said in a statement.
“For example, in March 2016, MedStar was turning away patients due to a ransomware attack. If a ransomware attack denies a patient access to their medical record or medical services, the patient needs to know as quickly as possible. We should encourage information about the attack to be shared with both the government and Information Sharing and Analysis organizations in order to prevent the spread of the attack to other providers.”
Lieu sent a letter to Deven McGraw, deputy director for health information privacy in the Office of Civil Rights at HHS, asking McGraw to instruct health organizations and providers to notify patients of an attack if it results in a denial of access to a medical record or a loss of functionality that’s necessary to provide patient care.
“In such cases, the notification should be made to affected parties without unreasonable delay following the discovery of a breach, and, if applicable, to restore the reasonable integrity of the system(s) compromised, consistent with the needs of law enforcement and any measures necessary for organizations to determine the scope of the breach,” Lieu’s letter said.