Compliance Management, Threat Management, Incident Response, Government Regulations, Malware, Network Security, TDR

FTC, legislators call for improvements in health-care IT laws, including ransomware protection

A federal hearing on standardizing and modernizing health information technology resulted in calls for new or improved legislation to fill in gaps in cybersecurity law.

In a joint hearing before the U.S. House's Subcommittee on Information Technology and Subcommittee on Health Care, Benefits and Administrative Rules, Rep. Ted Lieu (D-Calif.) noted that ransomware attacks against health-care institutions, including the one perpetrated against Hollywood Presbyterian Medical Center, are not covered in the 2009 HITECH (Health Information Technology for Economic and Clinical Health) Act, which promotes the adoption of electronic health records.

“HITECH law has cybersecurity requirements and requires notification for data breaches, but the law says nothing about notification for data that is frozen or held hostage where it is stored,” said Lieu, noting that the health-care industry needs "some combination of regulation and forcible guidance to protect the public."

Just this week, multiple reports have surfaced regarding an additional ransomware attack against Henderson, Ky.-based Methodist Hospital and possibly another against two Southern California hospitals operated by Prime Healthcare Services.

Ben Johnson, former NSA computer scientist and cofounder and chief security strategist for endpoint cybersecurity company Carbon Black, told SCMagazine.com in an email statement that ransomware takes advantage of health-care IT environments that are often "aging and rusty," with a "mishmash of hardware and older operating systems brought together through mergers, acquisitions, lowest-bidder procurement and understaffed security teams." Johnson's comments underscored the purpose behind today's subcommittee hearing to improve health care IT infrastructure.

Meanwhile, Jessica Rich, director of the Bureau of Consumer Protection at the Federal Trade Commission (FTC), publicly testified today that the agency “reiterates its longstanding bipartisan call for federal data security and breach legislation that would allow us to seek civil penalties to deter unlawful conduct and give us jurisdiction over non-profit entities.”

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.