Ransomware: Time for a HIPAA Update?Congressman Considering Legislation to Clarify Reporting Requirements
The recent surge in ransomware attacks on hospitals has at least one member of Congress contemplating whether HIPAA's breach notification requirements need to be clarified or updated to reflect the trend.
A cyberattack this week on 10-hospital MedStar Health, which may have involved ransomware, follows ransomware attacks that targeted Methodist Hospital in Kentucky, two California hospitals and Ottawa Hospital in Canada (see Hospital Ransomware Attacks Surge; So Now What?). Plus, Hollywood Presbyterian Medical Center in California grabbed headlines in February when it announced it paid extortionists a $17,000 bitcoin ransom to unlock its data.
"New cyber threats require Congress to vigilantly review and update the laws already on the books," says Rep. Ted Lieu, D-Calif, in a statement provided to Information Security Media Group. "As ransomware attacks against hospitals become more frequent, it is critical for patients to know when their records are being held hostage and for the government to understand the scope of the problem. I am actively exploring legislation to achieve that transparency."
Lieu also told news outlet Bloomberg on March 23, "Right now under federal law, there's no requirement that a hospital has to report they've suffered a ransomware attack."
But a spokesman for the Department of Health and Human Services' Office for Civil Rights says in a statement provided to ISMG that some such attacks already are reportable under HIPAA.
"Because it is considered to be a 'disclosure' if access has been provided, without regard to whether or not the information actually was accessed or viewed - and hackers using ransomware do have access to the data - an impermissible disclosure has occurred, and notification is presumably required unless a 'low probability of compromise' has been demonstrated," according to the statement. "And 'whether the [PHI] was actually acquired or viewed' is only one of the factors."
The spokesman added: "OCR investigates all reported breaches affecting 500 or more individuals, and may also initiate investigations based on news reports. These investigations may include situations involving ransomware. Further, OCR coordinates with the [HHS] internal cyber breach working group on cyber issues including ransomware, and on specific breaches due to ransomware attacks."
Ransomware was the subject of an OCR "cyber bulletin" in February, he notes (see OCR Cyber Awareness Effort: Will it Have an Impact?).
Impact on Patients?
Attorney Kirk Nahra of the law firm Wiley Rein LLP contends ransomware attacks don't merit having new regulations for breach notification.
"These attacks really are directed at different kinds of issues - in most situations - than those where [breach] notice makes sense," he says.
"Something like ransomware is a real problem for a hospital, because it makes their records inaccessible and unusable, but I'm not sure there's any particular purpose to notifying every patient who was ever at the hospital about that kind of incident," he says. "There's always a question of what the purpose of notice is. The original purpose of notice laws was in situations where an individual could reasonably take some action - like checking credit reports in the event of a breach involving Social Security numbers where there was a risk of identity theft. For these kinds of attacks, there's nothing for the individual to do, so it's not clear what the purpose of notice would be."
The uptick in ransomware attacks affecting the healthcare sector started about two years ago, says David Finn, health IT officer at security vendor Symantec.
"We've certainly been seeing a huge resurgence of ransomware, particularly in healthcare," says Finn, who was recently named a member of HHS' new healthcare industry cybersecurity task force that is examining security challenges facing the sector.
"We see ransomware in countries that have stronger economies. Surprisingly, I've seen numbers that up to 40 percent of victims are paying ransoms," he says. "The fact that one hospital in a dire situation paid [a ransom] is sad, but it's indicative of a much larger problem, and I don't think it's going away as long as people can make money."
As for the types of ransomware infecting hospitals lately, "there are a number that are in the wild today, such as Cryptowall, CryptoLocker and Locky," says James Carder, CISO of security services vendor LogRhythm.
"Ransomware is freely available or can be purchased, making it even easier for criminals to access," he notes. "Outside of ransomware, you see other crime packs, exploit kits and tools used by various threat groups. Some of these are customized and others that are basically 'off the shelf' or 'over the counter.' It depends on who the threat actor is and what that person wants to do to the healthcare organization - for example, maintain long-term presence or just hit the organization once."
Call to Action
Meanwhile, Sen. Lamar Alexander, R-Tenn., chairman of the Senate Committee on Health, Education, Labor and Pensions, said the attack on MedStar Health shows the need for the Department of Health and Human Services to immediately implement provisions of the Cybersecurity Information Sharing Act of 2015.
In a March 29 statement, the senator said: "The consequences of cyberattacks like yesterday's hacking at MedStar Health can be catastrophic for America's patients. Imagine an attack leaving doctors unable to access crucial information in a patient's health history or delaying a surgery for hours on end."
The cyber legislation, the senator notes, calls for HHS to "give hospitals and doctors clear information on the best ways to prevent a hack in the first place ... Yesterday's attack, which, unfortunately, is not unique, shows the need for HHS to implement the law with the urgency patients and hospitals deserve."