A federal hearing on standardizing and modernizing health information technology resulted in calls for new or improved legislation to fill in gaps in cybersecurity law.
In a joint hearing before the U.S. House's Subcommittee on Information Technology and Subcommittee on Health Care, Benefits and Administrative Rules, Rep. Ted Lieu (D-Calif.) noted that ransomware attacks against health-care institutions, including the one perpetrated against Hollywood Presbyterian Medical Center, are not covered in the 2009 HITECH (Health Information Technology for Economic and Clinical Health) Act, which promotes the adoption of electronic health records.
“HITECH law has cybersecurity requirements and requires notification for data breaches, but the law says nothing about notification for data that is frozen or held hostage where it is stored,” said Lieu, noting that the health-care industry needs "some combination of regulation and forcible guidance to protect the public."
Just this week, multiple reports have surfaced regarding an additional ransomware attack against Henderson, Ky.-based Methodist Hospital and possibly another against two Southern California hospitals operated by Prime Healthcare Services.
Ben Johnson, former NSA computer scientist and cofounder and chief security strategist for endpoint cybersecurity company Carbon Black, told SCMagazine.com in an email statement that ransomware takes advantage of health-care IT environments that are often "aging and rusty," with a "mishmash of hardware and older operating systems brought together through mergers, acquisitions, lowest-bidder procurement and understaffed security teams." Johnson's comments underscored the purpose behind today's subcommittee hearing to improve health care IT infrastructure.
Meanwhile, Jessica Rich, director of the Bureau of Consumer Protection at the Federal Trade Commission (FTC), publicly testified today that the agency “reiterates its longstanding bipartisan call for federal data security and breach legislation that would allow us to seek civil penalties to deter unlawful conduct and give us jurisdiction over non-profit entities.”