HHS hasn’t taken the actual step of requiring reporting of all ransomware attacks, it has been moving toward clarifying reporting requirements. (Photo: iStock)

There’s a loophole in Health and Human Services requirements for health care facilities to report cyberattacks and hospitals and health care centers are taking full advantage of it.

How does this happen? According to a Wall Street Journal report, if client medical or financial data are locked away by ransomware in an attack and have not been publicly exposed, the attack need not be reported.

The trouble with this is medical facilities, even if they pay the ransom, can be shut out of the data for weeks — as happened to Maryland’s MedStar Health, as it took three weeks to get everything up and running — with doctors taking notes by hand and lab results coming in late.

And they’re far from the only medical facility facing ransomware attacks, but if a couple of lawmakers have their way, even ransomware incursions may have to be reported. While current HHS requirements say that hospitals are only required to report attacks resulting in the exposure of private medical or financial information, such as malware that steals data, Reps. Ted Lieu, D-Calif., and Will Hurd, R-Texas, are pushing HHS to change that.

At present, the encryption used by ransomware is a “gray area,” the report says, and most facilities don’t report such attacks if they don’t have to. If they do, they can be in for a “harsh spotlight, potential penalties and liability risks,” although if they don’t, hospitals that don’t know about cyberattacks will be handicapped in defending themselves and their data.

Lieu’s view, the report says, is regulators can’t protect patient safety if they don’t know when hospital medical records are being held for ransom. The report quotes him saying, “I view it as a loophole that ransomware does not have to be reported.”

And while MedStar “shared insights privately,” according to MedStar spokeswoman Ann Nickels, she declines in the report to say whether the incident was reported to HHS or to say how many patients’ data were affected.

The WannaCry global ransomware attack shut down facilities including hospitals in the U.S. and the U.K., U.S. medical devices and European auto plants. The attack “highlighted the disturbing reality that the true state of cybersecurity risk in this sector is underreported by orders of magnitude,” Leo Scanlon, deputy chief information security officer for HHS, is quoted saying during a U.S. House hearing on cybersecurity.

And while thus far HHS hasn’t taken the actual step of requiring reporting of all ransomware attacks, it has been moving toward clarifying reporting requirements. Last July it said that hospitals must report ransomware attacks to the agency and patients, unless hospitals can prove confidential information has stayed confidential.

However, the proliferation of attacks points toward a time when hospitals may no longer be allowed to refrain from reporting, regardless of the expense of financial penalties and notification of patients whose data were affected.