Congressman Wants Ransomware Attacks To Trigger Breach Notifications

Trailrunner7 quotes a report from On the Wire: A powerful California congressman is pushing the federal government to treat ransomware attacks on medical facilities as data breaches and require notifications of patients. The pressure is coming from Rep. Ted Lieu (D-Calif.) and follows comments from officials at the Department of Health and Human Services about the department's plan to issue guidance to health care organizations about ransomware attacks. The Office for Civil Rights section of HHS, which has responsibility for health information privacy, will provide guidance on how to handle ransomware attacks, and Lieu is eager to ensure that the guidance specifically addresses how ransomware attacks relate to data breach regulations. "I welcome the news of HHS providing guidance to health providers on a matter that threatens so many hospital IT systems. However, we need to make clear that ransomware is not the same as conventional breaches. The threat to patients from ransomware is typically due to the denial of access to their medical records and medical services. Not only could this be a threat to privacy, but it could result in medical complications and deaths if hospitals can't access patient information," Lieu said in a statement. He sent a letter to the deputy director for health information privacy in the Office of Civil Rights at HHS, Deven McGraw, asking him to instruct health organizations and providers to notify patients of an attack if it results in a denial of access to a medical record or a loss of functionality thats necessary to provide patient care. In the past, Lieu has called for a full congressional investigation into the aforementioned widespread flaw in global phone networks that allows hackers to track anyone's location and spy on their phone calls and text messages. He was also one of the first lawmakers to publicly express his pro-encryption view after a federal judge ordered Apple to help the FBI break into the San Bernardino shooter's iPhone, saying it effectively "forces private-sector companies like Apple to be used as an arm of law enforcement."

Probably for the best

Ransomware isn't the only thing dropped onto a system in most attacks. And we can't bank on ransomware not ex-filtrating a couple of encrypted documents along the way.

If the ransomware hit, what other breaches occurred that they weren't aware of?

Re:Recipe for disaster

It has nothing to do with hospitals, they are provided systems by external mega-corps. They're the ones that will be shamed, and rightly so.

Re:Recipe for disaster

[mysidia]

All ransomware compromises ARE malware compromises, Therefore, any files accessed on that computer during infection, Or data accessible to the operating system and programs running on a compromised computer need to be considered breached data.....

The same with any malware compromise where exfiltration could possibly have occured.

The standard of "We have no evidence proving that data was breached" needs to be specifically disallowed as a reason to not send a breach notification.

Re:Recipe for disaster

[DarkOx]

I agree. You can only assume the ransom ware is not doing anything other than for cash shake down to get the encryption keys.

The reality is someone had code execution on your stuff and access to files. Its a breach, I think this is pretty strait forward.

To suggest otherwise rates right up their with "kinetic military action"

Re:Recipe for disaster

[DarkOx]

There is no reason to assume.

There is every reason to assume.

You don't know the ransomeware was the only payload, there could be something still there you don't know about.

You don't know that after the exfil job was completed the software did not self delete those parts of it.

You don't necessarily know how it got there, and if something else could be delivered the same way in the future.