Cybersecurity

Reps press HHS on ransomware

Rep. Ted Lieu (D-Calif.) and Rep. Will Hurd (R-Texas)

Reps. Ted Lieu (D-Calif.) and Will Hurd (R-Texas) want a light regulatory approach to disclosures following ransomware attacks against health care systems.

Ransomware attacks can shut down hospitals and health care systems by locking out providers' access to records. The Department of Health and Human Services is preparing guidance on how institutions should respond to such attacks and notify patients whose records are compromised.

Two Capitol Hill IT leaders, Rep. Will Hurd (R-Texas) and Rep. Ted Lieu (D-Calif.), are urging HHS leaders to think of ransomware as different from other types of cyberattacks.

In a June 27 letter to Deven McGraw, deputy director for health information privacy at HHS, the lawmakers wrote that ransomware hackers aren't after data. Instead, they're usually seeking cash.

Therefore, ransomware isn't typically a threat to data privacy but could harm patients by locking providers out at potentially crucial times, they wrote.

Hurd and Lieu said it might be necessary to notify patients if such a safety issue arises. However, notification only makes sense when ransomware results in denial of access to an electronic medical record and/or a loss of functionality to deliver medical services.

Mandating that institutions offer credit monitoring to patients might also prove to be an unnecessary expense, they added.

They said they would like to see guidance that "aggressively requires" notification of HHS federal cybersecurity authorities in the event of a breach.

They also urged HHS to make it clear that deleting or modifying a patient record during a cyberattack constitutes a breach under existing law.

They said ransomware is a bit of a chameleon because it typically executes itself from a bad email message or other file sent to a provider and then locks servers, storage devices, applications and files, disabling access to health records.

About the Author

Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, tele.com magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at mrockwell@fcw.com or follow him on Twitter at @MRockwell4.


Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.