Reps press HHS on ransomware
- By Mark Rockwell
- Jun 28, 2016
Reps. Ted Lieu (D-Calif.) and Will Hurd (R-Texas) want a light regulatory approach to disclosures following ransomware attacks against health care systems.
Ransomware attacks can shut down hospitals and health care systems by locking out providers' access to records. The Department of Health and Human Services is preparing guidance on how institutions should respond to such attacks and notify patients whose records are compromised.
Two Capitol Hill IT leaders, Rep. Will Hurd (R-Texas) and Rep. Ted Lieu (D-Calif.), are urging HHS leaders to think of ransomware as different from other types of cyberattacks.
In a June 27 letter to Deven McGraw, deputy director for health information privacy at HHS, the lawmakers wrote that ransomware hackers aren't after data. Instead, they're usually seeking cash.
Therefore, ransomware isn't typically a threat to data privacy but could harm patients by locking providers out at potentially crucial times, they wrote.
Hurd and Lieu said it might be necessary to notify patients if such a safety issue arises. However, notification only makes sense when ransomware results in denial of access to an electronic medical record and/or a loss of functionality to deliver medical services.
Mandating that institutions offer credit monitoring to patients might also prove to be an unnecessary expense, they added.
They said they would like to see guidance that "aggressively requires" notification of HHS federal cybersecurity authorities in the event of a breach.
They also urged HHS to make it clear that deleting or modifying a patient record during a cyberattack constitutes a breach under existing law.
They said ransomware is a bit of a chameleon because it typically executes itself from a bad email message or other file sent to a provider and then locks servers, storage devices, applications and files, disabling access to health records.
Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.
Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, tele.com magazine and Wireless Week.
Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.
Click here for previous articles by Rockwell.
Contact him at firstname.lastname@example.org or follow him on Twitter at @MRockwell4.