HHS: Healthcare groups must report all ransomware attacks

The Federal Health and Human Services Department (HHS) issued guidelines this week that could require hospitals and doctor offices to notify HHS if they are victimized by a ransomware attack. The HHS guidance has several stipulations for if and when health providers would be required to make a notification. The primary trigger would be if the electronic protected health information (ePHI) is not protected in accordance with HHS regulations or if the ePHI is properly encrypted making it impervious to a criminal enterprise. However, if neither of these thresholds are met than the affected organization would have to notify HHS if a ransomware incident takes place. This differs from the current standard which only required healthcare providers report incidents in which the personal information of more than 500 people was compromised through a data breach. A ransomware attack did not fall under these guidelines. One example provided by HHS states, “if a laptop encrypted with a full disk encryption solution in a manner consistent with HHS guidance is properly shut down and powered off and then lost or stolen, the data on the laptop would be unreadable, unusable and indecipherable to anyone other than the authenticated user. Because the PHI on the laptop is not “unsecured PHI”, a covered entity or business associate need not perform a risk assessment to determine a low probability of compromise or provide breach notification.” Rep. Ted Lieu (D-Calif.) said he was happy with HHS' stance. Lieu and Rep. Will Hurd (R-Texas) had sent a letter in late June to HHS urging it to develop ransomware guidelines. “I am pleased the Department of Health and Human Services has responded to the concerns outlined in our letter and issued guidance making clear that most ransomware and malware attacks should be considered a breach under the HITECH (Health Information Technology for Economic and Clinical Health) law,” Lieu said in a statement. Lieu added that is is just the first step. The authority granted to HHS, Health Insurance Portability and Accountability Act (HIPAA) and HITECH address privacy concerns, but statutory changes may be needed to “to enable HHS and the industry to better collaborate and respond,” he said. The HHS guidance stated that entities that comply with HIPAA security rules will be more secure from ransomware and other cyberattacks as they require the implementation of cybersecurity measures, conducting a risk analysis to identify threats and vulnerabilities and taking measures to remediate those risks. HHS did not respond to a SCMagazine.com request for additional information.