The U.S. Department of Health and Human Services Office for Civil Rights is working on official guidance to help healthcare organizations formulate plans to bolster against ransomware attacks and to figure out effective ways to react to such attacks, according to the Bloomberg Bureau of National Affairs.

Deven McGraw, deputy director for health information privacy at OCR, first discussed the ransomware guidance at a recent cybersecurity panel event held by Politico. According to a new report from the Ponemon Institute, ransomware, denial-of-service attacks and malware are the top threats facing healthcare organizations today.

The OCR guidance additionally will look to shed light on when a ransomware attack is considered a breach, thus requiring healthcare organizations to inform the OCR and patients, according to Bloomberg BNA. To date, healthcare organizations have not been reporting ransomware attacks as breaches.

Sign up for the Healthcare IT News Privacy & Security Update newsletter. 

Opinions differ among cybersecurity experts on whether healthcare organizations should be required to automatically report a ransomware attack as a “breach.”

“Yes, of course they should,” said Mansur Hasib, program chair for cybersecurity technology at the graduate school at the University of Maryland University College and author of the book “Cybersecurity Leadership.” “Executive accountability is long overdue.”

Others say no, ransomware attacks do not automatically constitute a breach, per se.

“Ransomware is the opposite of a breach because it blindly encrypts content; however, any organization that gets infected with ransomware is susceptible to other, more targeted attacks, so an organization should treat a ransomware attack as a wake-up call,” said Peter Firstbrook, a research vice president at Gartner who specializes in cybersecurity.

But Firstbrook believes the OCR is quite right in preparing guidance for healthcare organizations to deal with ransomware attacks.

“It would certainly be good if HHS helped with guidance,” he said. “However, it would be the same guidance that organizations have been receiving for years: patch, update, use anti-virus, and much more.”

Hasib echoes Firstbrook’s sentiments, that HHS should indeed provide guidance, though it likely would be guidance healthcare organizations have received, and in many cases ignored.

[Also: CISOs: Healthcare's new rock stars. Special report: Ransomware to get worse, hackers targeting whales, IoT opens new vulnerabilities]

“Plenty of guidance already exists for organizations, yet most organizations are suffering from not doing the basics,” Hasib said. “We do not have a shortage of tools or technology. Half of U.S. healthcare organizations do not have digital strategists in their C-suite. The organizations are run by ‘money people’ whose sole focus is to reduce costs. One-third of healthcare organizations do not have chief information security officers. Many organizations have them in name only; the officers are not empowered to do the right thing. And many organizations wrongly believe their cybersecurity insurance will cover them and choose to rely on insurance instead of doing the right thing for their customers.” 

Twitter: @SiwickiHealthIT
Email the writer: bill.siwicki@himssmedia.com

Like Healthcare IT News on Facebook and LinkedIn