How 2 Lawmakers Would Mete Out Responsibility For Ransomware
The HHS Office for Civil Rights, which enforces the HIPAA privacy and security rules, is developing guidance on how to react to a ransomware attack, and two members of Congress have chimed in with their own ideas.
In a letter to Deven McGraw, deputy director for health information privacy, Reps. Ted Lieu (D-Calif.) and Will Hurd (R-Texas) ask to raise issues that differentiate ransomware from conventional hacking. For instance, on the question of whether ransomware is a breach of protected health information if the information was not moved from where it is served but is not accessible, the lawmakers say yes.
“Since access must occur in order for any malware event that creates a disruption of service or corruption of data, thereby placing patients at risk, including ransomware, the definition of a breach has been met and subject to a required risk assessment to determine what additional steps, if any, are necessary,” the representatives wrote.
They add that while a ransomware attack qualifies as a conventional breach, it may not necessarily be treated as a conventional breach. Privacy, the lawmakers say, is not so much at risk with ransomware as operational risks of the affected organization.
“If the provider or other party providing care would be either unable to care for the patient or unable to provide information critical to the care for the person, swift patient notification is paramount, but if the ransomware does not affect patient safety, then patient notification may be unnecessary,” the legislators suggest.
Consequently, Lieu and Hurd advise notification of a ransomware event only when access to the electronic health record is denied or there is loss of ability to provide medical services.
“While patient notification may not make sense in every case, rapid and mandatory notification of government agencies and shared cyber-response resources is strongly encouraged,” they say. Other requests from the lawmakers to OCR include:
* Guidance that requires reporting of ransomware attacks to OCR and appropriate health-related Information Sharing and Analysis Organizations, which are slowly developing to aid regions across the nation in identifying current cyber threats.
* Flexibility in requiring providers to offer credit protection services, because ransomware does not always involve other parties viewing or stealing protected information, and as such, credit protection may not always be necessary.
* Suggesting that OCR “include clear guidance related to data modification from ransomware or malware attacks, including deletion of entire servers or drives that constitute a breach under HITECH, even if the deletion does not involve direct modification of the original files. We assert that destruction of records is the same as accessing them and has a similar impact to an organization.”