In the wake of several high-profile ransomware attacks on hospitals and health systems, the Department of Health and Human Services' Office for Civil Rights plans to publish guidance for the industry focusing on such incidents, according to Bloomberg BNA's Health Care Blog.
OCR Deputy Director for Health Information Privacy Deven McGraw tells Bloomberg that the guidance, which she first discussed at a Politico panel event on cybersecurity on Tuesday, will help provider organizations understand how to react in the event of a ransomware attack. In addition, it will outline the appropriate protocol going forward as far as reporting such events to OCR is concerned. While to date, provider organizations have not reported ransomware attacks to the agency, McGraw says that her organization could determine them to be breaches, as well.
Ransomware, malware and denial-of-service attacks currently are the top cyberthreats that healthcare organizations face, according to a new report published this week by the Ponemon Institute. The report estimates the cost of breaches for the healthcare industry, overall, to be $6.2 billion, with the average cost to an individual organization at $2.2 million.
Los Angeles-based Hollywood Presbyterian Medical Center in February paid a $17,000 (40 bitcoin) ransom to hackers who disabled its IT systems with ransomware. Allen Stefanek, the hospital's CEO, said the decision was "the quickest and most efficient way to restore ... systems and administrative functions."
What's more, an alleged ransomware attack in March temporarily locked up IT systems at MedStar Health, which operates 10 hospitals in Maryland and the District of Columbia. MedStar has yet to confirm the nature of its attack.
Prior to the MedStar attack, Rep. Ted Lieu (D-Calif.) said he may propose a bill that would require providers to inform their patients when a ransomware attack has occurred.
Meanwhile, shortly after the MedStar incident, Sen. Barbara Boxer (D-Calif.) sent a letter to FBI Director James Conway sharing concerns about the recent string of cyberattacks. Boxer was particularly worried that if hospitals pay the requested ransoms to regain access to their IT systems, hackers will have more incentive to target the healthcare industry.
To learn more:
- read the Bloomberg BNA article
- watch the Politico panel discussion