CHIME to lawmakers: Ransomware a subset of broader cybersecurity threat

The College of Healthcare Information Management Executives would like lawmakers to look into incentivizing healthcare providers for demonstrating a "minimum level of cyberattack readiness," it said in a statement this week to the Senate Committee on the Judiciary Subcommittee on Crime and Terror.

CHIME also floated the idea of cybersecurity preparation as a factor in reimbursement from the Centers for Medicare & Medicaid Services, suggesting such a proposal could be tied into the Medicare Access and CHIP Reauthorization Act's Merit-based Incentive Payment System. The statement was submitted prior to the committee's hearing Wednesday focusing on the growing threat of ransomware to all industries, including healthcare.

CHIME called current enforcement efforts "heavily focused on compliance with maintaining patient privacy, which can be a distraction or drain on already limited resources necessary to actually secure the numerous points of entry," including electronic health records and medical devices. "Variability in expectations of those that interact with healthcare data, including medical device manufacturers and business associates, will only contribute to the difficultly in securing each and every potential vulnerability," it added.

Regarding ransomware, CHIME referred to it as just one part of a larger, ongoing problem. Several hospitals this year have been impacted by ransomware, including Los Angeles-based Hollywood Presbyterian Medical Center, which in February paid a $17,000 (40 bitcoin) ransom to hackers who disabled its IT systems.

"The surge in its current effectiveness is most likely entirely attributed to digital and untraceable currencies such as bitcoin," it said. "These currencies allow for an anonymous financial transaction which protects the criminal from financial forensic investigations by the Federal Bureau of Investigation and other law enforcement entities."

To counter ransomware and other emerging cybersecurity threats, CHIME said information sharing on such incidents must improve. "The vehicle by which the threat is delivered will change, but we know for a fact that criminals will look at introducing 'new markets' for extorting money above and beyond what they are doing today," it said.

Officials with the Department of Health and Human Services' Office for Civil Rights recently said the agency plans to publish guidance for the healthcare industry focusing specifically on ransomware incidents.

To learn more:
- here's CHIME's statement (.pdf)
- watch the Senate committee hearing