Cybersecurity

Reps press HHS on ransomware

Rep. Ted Lieu (D-Calif.) and Rep. Will Hurd (R-Texas)

Reps. Ted Lieu (D-Calif.) and Will Hurd (R-Texas) want a light regulatory approach to disclosures following ransomware attacks against health care systems.

Ransomware attacks can shut down hospitals and health care systems by locking out providers' access to records. The Department of Health and Human Services is preparing guidance on how institutions should respond to such attacks and notify patients whose records are compromised.

Two Capitol Hill IT leaders, Rep. Will Hurd (R-Texas) and Rep. Ted Lieu (D-Calif.), are urging HHS leaders to think of ransomware as different from other types of cyberattacks.

In a June 27 letter to Deven McGraw, deputy director for health information privacy at HHS, the lawmakers wrote that ransomware hackers aren't after data. Instead, they're usually seeking cash.

Therefore, ransomware isn't typically a threat to data privacy but could harm patients by locking providers out at potentially crucial times, they wrote.

Hurd and Lieu said it might be necessary to notify patients if such a safety issue arises. However, notification only makes sense when ransomware results in denial of access to an electronic medical record and/or a loss of functionality to deliver medical services.

Mandating that institutions offer credit monitoring to patients might also prove to be an unnecessary expense, they added.

They said they would like to see guidance that "aggressively requires" notification of HHS federal cybersecurity authorities in the event of a breach.

They also urged HHS to make it clear that deleting or modifying a patient record during a cyberattack constitutes a breach under existing law.

They said ransomware is a bit of a chameleon because it typically executes itself from a bad email message or other file sent to a provider and then locks servers, storage devices, applications and files, disabling access to health records.

About the Author

Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, tele.com magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at mrockwell@fcw.com or follow him on Twitter at @MRockwell4.


Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.