Lawmakers weigh in on potential HHS ransomware guidance

locked record

Ransomware attacks in the healthcare industry continue to be a major focus for Rep. Ted Lieu (D-Calif.).

In a letter this week to Deven McGraw, deputy director for health information privacy at the Department of Health and Human Services Office for Civil Rights, Lieu and fellow congressman Will Hurd (R-Texas) laud the announcement of plans to issue ransomware guidance, but also provide their own set of suggestions for developing such a resource. Politico’s Morning eHealth first reported the letter.

Lieu and Hurd say that organizations should only notify patients if the attacks cause a denial of access to an electronic medical record or they can't provide medical services due to lost functionality. “In such cases, the notification should be made to affected parties without unreasonable delay following the discovery of a breach, and, if applicable, to restore the reasonable integrity of the system[s] compromised, consistent with the needs of law enforcement and any measures necessary for [an] organization to determine the scope of the breach,” they write.

In March, Lieu said that he may propose a bill that would require providers to let their patients know when a ransomware attack has occurred.

The lawmakers also urge continued information sharing between the government, healthcare-based information sharing and analysis organizations (ISAOs) and private sector entities. “[W]e recommend guidance that aggressively requires reporting of ransomware attacks to HHS and appropriate healthcare-related ISAOs,” Lieu and Hurd say.

In addition, they call destruction of records “the same thing as accessing them,” and implore OCR to include information about data modification within its guidance.

Cybersecurity issues continue to plague the industry. This week alone, a hacker put nearly 10 million stolen patient records up for sale on the dark web. The records were stolen from three hospitals and a health insurance database.

To learn more:
- here’s the letter