Stay ahead of developments in federal and state health care law, regulation and transactions with timely, expert news and analysis.
By Alex Ruoff
March 23 — A House Democrat is considering an update to federal health record breach notification laws in light of the recent rise in ransomware attacks on hospitals.
Rep. Ted Lieu (D-Calif.) told Bloomberg BNA March 23 he's considering legislation that would require hospitals and other health-care organizations to notify their patients when they've been the victim of a ransomware attack. Ransomware is a type of malicious software that encrypts data on the victim's network so it becomes inaccessible without the purchase of an electronic key that is known only to the malware's creator.
Some hospitals have kept mum after falling victim to ransomware attacks, making it difficult for policy makers and regulators to understand how prevalent these types of cyberattacks are in health care, Lieu, a member of the House Oversight and Government Reform Subcommittee on Information Technology, said.
“Right now under federal law, there's no requirement that a hospital has to report they've suffered a ransomware attack,” Lieu said. “We're exploring legislation to fix that loophole.”
Lieu is also considering legislation to combat instances of data blocking, or purposefully preventing health-care providers from sharing patient records. However, he's very early in the process of developing such legislation, he said.
Lieu said his staff is still exploring the issue but it is likely that the legislation would amend the Health Information Technology for Economic and Clinical Health (HITECH) Act to explicitly state that health-care organizations that suffer a ransomware attack should disclose some details of the incident to their patients.
“It's difficult for policy makers, or anyone, to have a handle on the problem if we don't get information that it's happening.”—Rep. Ted Lieu
Currently, health-care organizations must notify their patients when their health records have been stolen or compromised during a cyberattack. But ransomware software doesn't always extract data; it only makes data inaccessible.
Lieu said the proposed change would give patients a better understanding of how their health information is bring protected and would give lawmakers a better understanding of how many hospitals are being targeted by cybercriminals.
“It's difficult for policy makers, or anyone, to have a handle on the problem if we don't get information that it's happening,” Lieu said. “The first step to any solution, I think, is understanding the problem.”
Reports of ransomware attacks on health-care organizations have been growing since February, where a Los Angeles hospital lost access to its electronic health record (EHR) system for several days .
Hollywood Presbyterian paid $17,000 to unlock its data.
Three more hospitals have reported experiencing ransomware attacks in March, although there are few details about one of the incidents. The disruption caused by ransomware attacks can vary greatly, from locking clinicians out of hospital EHRs and networks to a short disruption of network service.
Two California hospitals, Chino Valley Medical Center in Chino and Desert Valley Hospital in Victorville, saw their servers disrupted by ransomware March 18, Prime Healthcare Management Inc. spokesman Fred Ortega told Bloomberg BNA March 23. Prime owns both hospitals and they share some servers.
In both instances, the ransomware was contained to protect patient records from being affected, Ortega said. However, some of the hospitals' IT systems remain locked by the malware.
Ortega said the server disruptions didn't affect patient care or patient safety.
Prime hasn't paid hackers for a key to release the systems that remain locked, Ortega said.
The Henderson, Ky.-based Methodist Hospital reported losing access to its computer network March 16 due to a ransomware attack, a hospital spokeswoman told Bloomberg BNA March 23.
The hospital's data systems were locked by the malware for five days, but the hospital was able to operate on a backup system, according to a statement by Methodist Hospital sent to Bloomberg BNA.
Patient health records weren't compromised by the malware, according to the statement.
To contact the reporter on this story: Alex Ruoff in Washington at email@example.com
To contact the editor responsible for this story: Patty Logan at firstname.lastname@example.org
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)