There’s a loophole in Health and Human Services requirements forhealth care facilities to report cyberattacks and hospitals and health care centers are takingfull advantage of it.

|

How does this happen? According to a Wall Street Journalreport, if client medical or financial data arelocked away by ransomware in an attack and have not beenpublicly exposed, the attack need not be reported.

|

The trouble with this is medical facilities, even if they paythe ransom, can be shut out of the data for weeks — as happened toMaryland’s MedStar Health, as it took three weeks to get everythingup and running — with doctors taking notes by hand and lab resultscoming in late.

|

And they’re far from the only medical facility facing ransomware attacks, but if a couple oflawmakers have their way, even ransomware incursions may have to bereported. While current HHS requirements say that hospitals areonly required to report attacks resulting in the exposure ofprivate medical or financial information, such as malware thatsteals data, Reps. Ted Lieu, D-Calif., and Will Hurd, R-Texas, arepushing HHS to change that.

|

At present, the encryption used by ransomware is a “gray area,”the report says, and most facilities don’t report such attacks ifthey don’t have to. If they do, they can be in for a “harshspotlight, potential penalties and liability risks,” although ifthey don’t, hospitals that don’t know about cyberattacks will behandicapped in defending themselves and their data.

|

Lieu’s view, the report says, is regulators can’t protectpatient safety if they don’t know when hospital medical records arebeing held for ransom. The report quotes him saying, “I view it asa loophole that ransomware does not have to be reported.”

|

And while MedStar “shared insights privately,” according toMedStar spokeswoman Ann Nickels, she declines in the report to saywhether the incident was reported to HHS or to say how manypatients’ data were affected.

|

The WannaCry global ransomware attack shut down facilitiesincluding hospitals in the U.S. and the U.K., U.S. medical devicesand European auto plants. The attack “highlighted the disturbingreality that the true state of cybersecurity risk in this sector isunderreported by orders of magnitude,” Leo Scanlon, deputy chiefinformation security officer for HHS, is quoted saying during aU.S. House hearing on cybersecurity.

|

And while thus far HHS hasn’t taken the actual step of requiringreporting of all ransomware attacks, it has been moving towardclarifying reporting requirements. Last July it said that hospitalsmust report ransomware attacks to the agency and patients, unlesshospitals can prove confidential information has stayedconfidential.

|

However, the proliferation of attacks points toward a time whenhospitals may no longer be allowed to refrain from reporting,regardless of the expense of financial penalties and notificationof patients whose data were affected.

Complete your profile to continue reading and get FREE access to BenefitsPRO, part of your ALM digital membership.

  • Critical BenefitsPRO information including cutting edge post-reform success strategies, access to educational webcasts and videos, resources from industry leaders, and informative Newsletters.
  • Exclusive discounts on ALM, BenefitsPRO magazine and BenefitsPRO.com events
  • Access to other award-winning ALM websites including ThinkAdvisor.com and Law.com
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.