In the great schism that is the 2016 election year, bi-partisan participation may seem like a thing of the past, but believe it or not, it is not quite dead just yet.
A letter sent by Congressmen Ted Lieu (D-Calif.) and Will Hurd (R-Texas) this week not only praised Deputy Director for Health Information Privacy Deven McGraw, at the Department of Health and Human Services Office for Civil Rights (OCR) for her announcement that the OCR will be providing guidance and establishing protocol for ransomware victims in the healthcare industry, but to also provide some guidance of their own. The two men have devised a strategy that will help the OCR develop the resources needed by the provider organizations, in order to implement the protocol.
A main focus of the bi-partisan letter revolved around patients impacted by the breach; specifically, parameters for notification. Lieu and Hurd state that it is not necessary in every case, due to the fact that ransomware attacks do not generally compromise patient privacy. The main issue, instead, tends to be the patient accessibility, or lack thereof. The virus is detrimental to this industry because it prohibits patients from accessing either electronic records or, worse, medical services, until functionality is restored. Therefore, patient notification must be “without unreasonable delay following the discovery of a breach, and, if applicable, to restore the reasonable integrity of the system[s] compromised.”
Lieu, no stranger to the impact of rising of ransomware attacks on the healthcare industry, proposed the creation of a bill this March, which would require victimized providers to alert their patients of the ransomware attack. In the letter, the two men extend this idea by recommending to the OCR a requirement in which the victimized providers must alert the government, as well, by reporting breaches to the healthcare-based information sharing and analysis organizations (ISAOs) and to the private sector. Continued transparency will assist legal entities in learning more about the attackers, resulting in fewer attacks.
This flutter of governmental activity comes in the wake of increasing attacks this year on the healthcare entities. Case in point, 10 million confidential records, pinched from only four sources (three hospitals and one health insurance database) are currently being sold on the dark web after a hacker put them up for bid this week. The threat is real, and it is good that the government has started to not only recognize that, but to also take steps to fix it.