Congressmen: Ransomware Requires New Guidance
A bipartisan duo of Congressmen sent a letter to the Department of Health and Human Services, making specific breach notification and response recommendations for upcoming ransomware guidance planned by HHS' Office for Civil Rights, noting that ransomware attacks are "different" from other data breaches.
The "differences" between ransomware attacks - which could potentially impact patient safety by making patient health data inaccessible to clinicians - and other breaches, where patient privacy is primarily at risk, necessitates different response and notification by affected entities, write Ted Lieu, D-Calif. and Will Hurd, R-Texas, in a June 27 letter to Deven McGraw, OCR deputy director of health information privacy.
"We want to raise some issues that differentiate ransomware from conventional hacking and encourage the timely issuance of proposed guidance to address these differences," the Congressmen write.
"From a technical standpoint, ransomware is likely subject to a risk assessment analysis of a data breach," they say, noting that under HIPAA a breach is defined as "the acquisition, access, use, or disclosure of protected health information in a manner not permitted."
Because "access must occur in order for any malware event that creates a disruption of service or corruption of data, thereby placing patients at risk, including ransomware, the definition of a breach has been met and subject to a required risk assessment to determine what additional steps, if any are necessary," the letter notes.
"However, just because a ransomware attack qualifies as a conventional breach, that does not mean they should be treated the same or subject to the exact same risk assessment. One reason for this difference is that the effect of a ransomware breach is different," the Congressmen note.
In the case of a ransomware attack, "the threat is not usually to privacy, but typically to operational risks to health systems and potential impacts on patient safety, and service."
For example, a suspected ransomware attack on MedStar Health in March "resulted in patients being turned away due the inability to provide care," Lieu and Hurd write.
Ransomware vs. Other Breaches
The legislators suggest that the "differences" between ransomware and other data breaches be reflected in OCR's upcoming ransomware guidance.
Specifically, Lieu and Hurd recommend the guidance instruct the healthcare sector that:
Patients be notified of ransomware attacks "without unreasonable delay" - but only in cases where the ransomware attack could affect patient safety due to "either a denial of access to an electronic medical record and/or loss of functionality" necessary to provide medical services;
OCR "aggressively require" reporting of ransomware attacks to HHS and appropriate healthcare-related information sharing and analysis organizations;
Since ransomware does not always involve viewing or stealing personal health information, "requiring a provider to offer credit counseling services may be an unnecessary expense."
The letter also notes, "we urge OCR to include clear guidance related to data modification from ransomware or malware attacks, including deletion of entire servers or drives that constitute a breach under [HIPAA], even if the deletion does not involve direct modification of the original files." The destruction of records "is the same as accessing them and has a similar impact to an organization," Lieu and Hurd write.
In a statement to Information Security Media Group, a spokesman for Lieu says, "we sent this letter both to let [HHS] know that there are those of us in Congress who care about this issue from a patient safety perspective and appreciate their rapid response. We also sent the letter because we wanted to make sure that the effort, while appreciated, was also properly focused on the unique aspects of ransomware as opposed to other hacks involving malware or denial of service attacks."
An OCR spokesman tells ISMG, "OCR is presently drafting guidance on ransomware and HIPAA and expect to be able to release it shortly."
While new OCR ransomware guidance for the healthcare sector could be useful, not everyone is convinced that ransomware attacks on healthcare entities necessitate different rules.
"I don't believe the HIPAA breach notification rule should be modified for this one type of malware," says privacy and security expert Kate Borten, founder of consulting firm, The Marblehead Group.
"HHS guidance on breach determination may be helpful," she notes. "In the meantime, if an expert analysis of the particular ransomware attack determines that nothing beyond encryption occurred, it might not be considered a reportable breach."
The letter to OCR from Lieu and Hurd "proposes an unworkable process," says privacy attorney David Holtzman, vice president of compliance at security consultancy CynergisTek.
"These proposals would take away from healthcare providers and health plans critical flexibility provided in the [HIPAA] Breach Notification Rule to assess for the probability that an incident has compromised the privacy or security of the organization's protected health information," he says.
Healthcare attorney Betsy Hodge of the law firm Akerman LLP notes that given the language of the HIPAA breach notification rule, "it seems unlikely that OCR would say that all ransomware attacks should be reported to OCR, but only some may require patient notification; that contradicts the language of the rule."
Rather, "it seems more likely that OCR would issue guidance explaining how the definition of a breach applies to a ransomware attack and how covered entities should consider the risk assessment factors when analyzing whether a particular ransomware attack is a reportable breach," she says.
Too Much Notification?
The letter to OCR also reflects some areas of ongoing confusion when it comes to ransomware attacks and breach notification issues, notes privacy attorney Kirk Nahra of the law firm Wiley Rein LLP.
"It is certainly correct that the 'typical' ransomware event - if there is such a thing - is different than many other situations where patients have been notified about security breaches," such as when data is lost or stolen - and provided to an unauthorized party, he notes. In a ransomware attack, the data typically isn't "taken" by anyone. "It is simply 'locked' so that the right person, for example, a hospital, can't access it. That is a very different kind of event," he says.
"There is an ongoing policy question of 'why' notice is being provided - for example, potential identity theft, where an individual can do something, vs. potential reputational risk, where there may be nothing to do - and we could certainly move to a situation where notice is being provided 'just because,' even if there is no wrongful access to the data, but that is not the current law."
Current breach notification laws require reporting to the government only in situations where there is also notice to an individual, he notes.
"So, while it might make sense to develop a new rule or law relating to notice to the government in situations where no notice to an individual makes sense, that also is not current law." So, even if OCR were to include in its upcoming guidance recommendations that entities hit by ransomware attacks notify HHS or ISAOs, current HIPAA rules do not support that requirement, he says.
"HIPAA today does not have any general 'notify the government' obligation independent of an obligation to notify individuals."
Sharing Cyber Info
Earlier this year, the Department of Homeland Security set up the Cyber Information Sharing and Collaboration Program, or CISCP, as a national public-private partnership for the sharing information rapidly across all sectors of our country's critical infrastructure, including healthcare, Holtzman notes.
But the proposals in the letter requiring the reporting to healthcare ISAOs of ransomware attacks potentially could have negative impact. "It could turn out to be counterproductive to have competing proprietary threat sharing programs that value exclusivity over widespread information sharing, limiting distribution of reported vulnerabilities only to their subscribers," he says.