Reps press HHS on ransomware

Ransomware attacks can shut down hospitals and health care systems by locking out providers' access to records. The Department of Health and Human Services is preparing guidance on how institutions should respond to such attacks and notify patients whose records are compromised.

Two Capitol Hill IT leaders, Rep. Will Hurd (R-Texas) and Rep. Ted Lieu (D-Calif.), are urging HHS leaders to think of ransomware as different from other types of cyberattacks.

In a June 27 letter to Deven McGraw, deputy director for health information privacy at HHS, the lawmakers wrote that ransomware hackers aren't after data. Instead, they're usually seeking cash.

Therefore, ransomware isn't typically a threat to data privacy but could harm patients by locking providers out at potentially crucial times, they wrote.

Hurd and Lieu said it might be necessary to notify patients if such a safety issue arises. However, notification only makes sense when ransomware results in denial of access to an electronic medical record and/or a loss of functionality to deliver medical services.

Mandating that institutions offer credit monitoring to patients might also prove to be an unnecessary expense, they added.

They said they would like to see guidance that "aggressively requires" notification of HHS federal cybersecurity authorities in the event of a breach.

They also urged HHS to make it clear that deleting or modifying a patient record during a cyberattack constitutes a breach under existing law.

They said ransomware is a bit of a chameleon because it typically executes itself from a bad email message or other file sent to a provider and then locks servers, storage devices, applications and files, disabling access to health records.