News Feature | July 15, 2016

Lawmakers Push For Required Patient Notification In Wake Of Cyber Attacks

Christine Kern

By Christine Kern, contributing writer

obama
President Barack Obama discusses health care reform before a joint session of Congress on Sept. 9, 2009. Image courtesy of Wikimedia Commons.

Reps. Lieu and Hurd want ransomware attack guidance for provider organizations.

As the threat of ransomware escalates, two legislators are pushing for ransomware attack guidance for provider organizations that would require patient notification in the wake of an incident. To that aim, Reps. Ted Lieu, D-CS and Will Hurd, R-TX made the request in a letter to Deven McGraw, deputy director of the Office of Civil Rights of the Department of Health and Human Services (HHS.

The lawmakers are supporting guidance that would require patient notification if a ransomware attack prevents a healthcare provider from accessing electronic medical records or if it loses the ability to provide medical services, according to the letter. They point out, according to the Ponemon Institute’s Sixth Annual Benchmark Study on Privacy and Security of Healthcare Data, ransomware is in the top three cyber threats challenging healthcare organizations today and more than 40 percent of healthcare organizations are concerned about being the victim of a ransomware attack.

According to Lieu and Hurd, notification should take place “without unreasonable delay” immediately following a breaches’ discovery, “consistent with the needs of law enforcement.”

Hurd and Lieu are not new to the technology-security regulations game. In May, the bipartisan lawmakers turned their attention to end-to-end encryption, urging their colleagues to adopt the security measure to provide more secure communications and to boost the security culture in the House of Representatives.

This is not the first time Lieu and Hurd have teamed up to call for technology-related action. Particularly concerned about security, the bipartisan lawmakers urged their colleagues in May to use end-to-end encryption, allowing for more secure communications and improving the security culture in the House of Representatives.

The new recommended guidance, however, addresses the unique dangers of ransomware, stating: “In the case of a ransomware attack, the threat is not usually to privacy, but typically to operational risks to health systems and potential impacts on patient safety, and service.”

When activated, ransomware has the potential to impact access to health records, and therefore to affect patient safety, making it a particularly dangerous scenario. This spring along, a number of high-profile attacks made the headlines as hospitals had their networks disabled at least temporarily due to ransomware attacks, as Health IT Outcomes reported.

Lieu and Hurd cited the MedStar attack from earlier this year, which resulted in the hospital chain turning away patients while the ransomware locked its systems.