In a recent letter to Deven McGraw, Deputy Director for Health Information Privacy at the Office of Civil Rights (OCR), congressmen Ted Lieu and Will Hurd urged OCR to focus on certain issues in its forthcoming guidance on how health care organizations should respond to ransomware attacks. As explained in the letter, the threat posed by ransomware is that it “executes itself as an encrypted lock around one or more servers, storage devices, applications or files,” thereby preventing health care organizations from accessing or performing certain functions involving health records. Ransomware attacks are therefore unlike many conventional breaches, in that they do not involve privacy threats but rather involve a barrier to health care providers’ access to critical health information necessary for their operations and to treat patients.
The congressmen suggested that OCR should require breach notification that accounts for the unique nature of ransomware attacks and would not require notification of individuals in all cases–only in those instances “where the ransomware attack results in either a denial of access to an electronic medical record and/or loss of functionality necessary to provide medical services.” On the other hand, the congressmen urged that OCR should require notification of the government and of healthcare Information Sharing and Analysis Organizations (ISAOs) in order to help spread awareness of ransomware attacks among the health care industry and to facilitate development of unified responses to the attacks. Stay tuned for HSLG’s blog post once OCR releases its guidance.