Reps. Ted Lieu (D-California) and Will Hurd (R-Texas) have asked the Department of Health and Human Services to develop guidance that would require healthcare providers to immediately report cases of ransomware-related attacks to government agencies and information sharing and analysis organizations.
The lawmakers told Deven McGraw, deputy director for health information privacy at HHS’ office of civil rights, in a letter released Monday that the guidance should facilitate reporting of ransomware attacks to agencies and ISAOs in compliance with the disclosure requirements of the Health Insurance Portability and Accountability Act and Health Information Technology for Economic and Clinical Health Act.
The guidance should also direct health providers to immediately notify patients in cases where a denial of access to medical services or electronic health records occurs as a result of a ransomware attack, Hurd and Lieu wrote in the letter.
“We need to make clear that ransomware is not the same as conventional breaches,” Lieu said in a statement released Tuesday.
“Not only could this be a threat to privacy, but it could result in medical complications and deaths if hospitals can’t access patient information.”