A powerful California congressman is pushing the federal government to treat ransomware attacks on medical facilities as data breaches and require notifications of patients.
The pressure is coming from Rep. Ted Lieu (D-Calif.) and follows comments from officials at the Department of Health and Human Services about the department’s plan to issue guidance to health care organizations about ransomware attacks. The Office for Civil Rights section of HHS, which has responsibility for health information privacy, will provide guidance on how to handle ransomware attacks, and Lieu is eager to ensure that the guidance specifically addresses how ransomware attacks relate to data breach regulations.
Ransomware typically is thought of as a consumer threat, encrypting victims’ files and demanding payments in order to get the decryption key. But more and more ransomware variants are targeting enterprises, as attackers have figured out that forcing large payments from one company is more efficient than squeezing smaller payments out of hundreds of individual victims. The SamSam ransomware variant, which has some worm-like behavior, has been seen attacking businesses specifically. A large-scale ransomware infection on a corporate network can have myriad consequences, but in a health-care organization it can have a variety of privacy and regulatory ramifications, too.