Reps. Ted Lieu, D-Calif., and Rep. Will Hurd, R-Texas, are pressing Department of Health and Human Services' Office for Civil Rights to provide guidance regarding ramsomware cybersecurity attacks – and provide it stat.

The Congressemen sent a letter June 27 to Deven McGraw, deputy director for health information privacy at the HHS Office for Civil Rights, which oversees privacy and security of protected healthcare information.

As Lieu and Hurd see it, organizations need to notify patients only when the attacks cause a denial of access to an electronic medical record or when they can't provide medical services due to lost functionality.

[See also: RAA: The latest ransomware culprit preys on Microsoft Jscript.]
 
In those cases, they assert, "the notification should be made to affected parties without unreasonable delay following the discovery of a breach, and, if applicable, to restore the reasonable integrity of the system[s] compromised, consistent with the needs of law enforcement and any measures necessary for organization to determine the scope of the breach."

The lawmakers asked for guidance that "aggressively" requires reporting of ransomware attacks to HHS and appropriate healthcare-related Information Sharing and Analysis Organizations. They also noted that the destruction of records was the same as accessing them and called for OCR to take this into account when issuing its guidance.

The concressmen made reference to a recent Pomenon Institute study on ransomware that indicated more than four in 10 healthcare organizations were worried about ransomware attacks.

Access the full letter here.

Twitter: @Bernie_HITN
Email the writer: bernie.monegain@himssmedia.com

Like Healthcare IT News on Facebook and LinkedIn