Congressmen Call for Different HIPAA Rules for Malware and Ransomware Attacks

Ted Lieu, D-Calif. and Will Hurd, R-Texas., have written to OCR Deputy Director for Health Information Privacy Deven McGraw raising issues related to healthcare ransomware infections ahead of the release of new OCR guidance on ransomware attacks.

The bipartisan pair of Congressmen have pointed out some important differences between ransomware infections and hacking, which they believe should be reflected in the upcoming guidance. They believe that ransomware should require different rules to other malware infections and hacking incidents, although there is some debate as to whether HIPAA Rules should treat different types of malware differently.

The Congressmen point out in the letter that under 45 CFR § 164.402, a breach if ePHI is defined as “the acquisition, access, use, or disclosure of protected health information in a manner not permitted.” This would mean that a ransomware attack qualifies as a data breach. In order to encrypt data, those data must be accessed. Consequently, covered entities would be required to perform a risk assessment under HIPAA Rules.

While a risk assessment would be required under HIPAA Rules, the Congressmen argue that ransomware infections should be classed differently to other data breaches because ransomware does not usually involve the theft of data and does not infringe the privacy of patients. The infection only denies the covered entity access to health records. This would therefore usually only involve an operational risk, not a privacy risk.

The pair also question whether it would be appropriate to notify patients of a ransomware attack if patient privacy is not placed at risk and if there is no loss of functionality as a result of the attack. If patient safety is unaffected and patient privacy not violated, they suggest that notifications would be unnecessary. However, if patients were to have their privacy violated or access to medical services was disrupted, notifications would be reasonable and should be issued without unnecessary delay.

Further, in cases where data are not stolen, the Congressmen suggest that it would not be necessary to offer credit counselling services to patients as this would simply be an unnecessary expense for healthcare providers with no benefit for patients.

While patients may not need to be notified of a ransomware infection, the Congressmen do believe the sharing of intelligence is critical. They suggest ransomware attacks should therefore be reported to the HHS. They also suggest that HIPAA covered entities notify US-CERT, Information Sharing and Analysis Organizations (AISOs) and private sector cyber threat sharing organizations. Sharing intelligence could be invaluable and could help with the development of future defenses against such attacks. The Congressmen have requested the OCR “aggressively requires” the reporting of these cyberattacks.

The pair would also like to see the guidance address the issue of data deletion or modification as a result of ransomware infections. They suggest that the deletion of data would be the same as modification of files in terms of the impact it has on an organization, and that this should be made clear in the upcoming guidance.

Lieu and Hurd also requested guidance be issued promptly to address current confusion over HIPAA and ransomware infections.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.