The Department of Health and Human Services has distributed new guidelines to emphasize when health care groups must report incidents of ransomware attacks, given that some hospitals are shirking the process altogether.
The guidance suggests that all ransomware incidents experienced by health care organizations should be treated as data breaches. Under the Health Insurance Portability and Accountability Act, or HIPAA — which established a national standard in 1996 to protect individuals’ medical records and other personal health information — a health care group’s data breach is “presumed and notification of the individuals whose information is involved in the breach and HHS is required,” according to an HHS spokesperson.
But the new guidelines are also driving health care organizations to be proactive when reporting attacks.
“We have seen that attacks due to hacking, including malware and ransomware, are on the rise in reports that we are receiving from HIPAA-covered entities and business associates,” the spokesperson said, “[but] we cannot comment on incidents that have not been reported.”
The guidance also adds clarity to existing data breach notification requirements passed by legislators in the HITECH Act of 2009 and implemented by the 2013 Breach Notification Rule, the spokesperson said.
Aside from acting as an educational resource, the new guidelines will also help HHS grasp the scale of the ransomware problem, given the rise in hospitals and other health-related systems. Attacks on a Hollywood, California, hospital and the Columbia, Md.-based MedStar Health system have been two of the most high-profile ransomware cases in the U.S.
Between 2009 and 2013, the percentage of health care organizations that have reported a cyberattack doubled, according to a survey conducted by the Ponemon Institute. Additionally, patient medical records are reportedly worth up to 10-times more than the value of credit card information on the black market, and the tools to pull off such attacks are becoming increasingly easy to purchase.
“Basic ransomware tool sets are generally more widely available to cyberattackers, making it easier for less skilled attackers to compromise valuable healthcare networks,” said Anthony James, vice president of product strategy for San Mateo, Calif.-based security company TrapX.
Wallace Sann, the CTO of ForeScout’s public sector division, said many ransomware victims are choosing to pay instead of reporting the attack to authorities or seeking the help of a professional cybersecurity firm.
“If you’re a hospital and you acknowledge that you’ve been hit by ransomware, while it might be a hit to your reputation, it’s an even bigger loss of consumer trust if you don’t disclose it,” Sann told FedScoop.
Disclosure is not optional in most circumstances. Patients are notified directly in adherence to the hospital’s own policies, while current law stipulates that the trigger to notify HHS is when more than 500 patient records are exposed in a breach. However, knowing how many files were stolen in a ransomware-style attack can be difficult to decipher.
“Historically, the amount of data exfiltrated during a ransomware attack has been unclear, so it is possible that health care institutions could determine that there was no evidence to suggest that any was stolen, which would subsequently not trigger any reporting,” James said.
You can read the guidance on HHS’ website.
To contact the reporter on this story: send an email via firstname.lastname@example.org or follow him on Twitter at @Bing_Chris. Subscribe to CyberScoop to get all the cybersecurity news you need in your inbox every day at CyberScoop.com.