Lawmakers weigh in on potential HHS ransomware guidance

locked record

Ransomware attacks in the healthcare industry continue to be a major focus for Rep. Ted Lieu (D-Calif.).

In a letter this week to Deven McGraw, deputy director for health information privacy at the Department of Health and Human Services Office for Civil Rights, Lieu and fellow congressman Will Hurd (R-Texas) laud the announcement of plans to issue ransomware guidance, but also provide their own set of suggestions for developing such a resource. Politico’s Morning eHealth first reported the letter.

Lieu and Hurd say that organizations should only notify patients if the attacks cause a denial of access to an electronic medical record or they can't provide medical services due to lost functionality. “In such cases, the notification should be made to affected parties without unreasonable delay following the discovery of a breach, and, if applicable, to restore the reasonable integrity of the system[s] compromised, consistent with the needs of law enforcement and any measures necessary for [an] organization to determine the scope of the breach,” they write.

Webinar

How Providers Can Leverage Technology to Accelerate Business Recovery

Join us for this webinar on July 14th at 1pm ET / 10am PT to hear how organizations are responding to the COVID-19 crisis, re-engaging patients with postponed elective services, and utilizing contact tracing to support the health and wellbeing of their communities.

In March, Lieu said that he may propose a bill that would require providers to let their patients know when a ransomware attack has occurred.

The lawmakers also urge continued information sharing between the government, healthcare-based information sharing and analysis organizations (ISAOs) and private sector entities. “[W]e recommend guidance that aggressively requires reporting of ransomware attacks to HHS and appropriate healthcare-related ISAOs,” Lieu and Hurd say.

In addition, they call destruction of records “the same thing as accessing them,” and implore OCR to include information about data modification within its guidance.

Cybersecurity issues continue to plague the industry. This week alone, a hacker put nearly 10 million stolen patient records up for sale on the dark web. The records were stolen from three hospitals and a health insurance database.

To learn more:
- here’s the letter

Suggested Articles

A federal judge in Maryland has vacated CMS' 2019 rule that would require Affordable Care Act insurers to bill separately for abortions.

HHS released an additional $4 billion in provider relief funds that it hopes are more targeted at providers who didn't qualify for earlier funding.

A lawsuit filed against Teladoc accuses the company of engaging a third party to sell telehealth subscriptions to consumers without their consent.