Lawmakers push HHS to treat 'ransomware' attacks differently

Lawmakers push HHS to treat 'ransomware' attacks differently

A bipartisan pair of lawmakers is calling on the Department of Health and Human Services (HHS) to treat "ransomware" attacks in the healthcare industry differently than other cyberattacks.

“In the case of a ransomware attack, the threat is not usually to privacy, but typically to operational risks to health systems and potential impacts on safety, and service,” Reps. Ted Lieu (D-Calif.) and Will Hurd (R-Texas) wrote in a letter to Deven McGraw, deputy director for health information policy at HHS’s Office of Civil Rights. 


Hackers use malicious ransomware programs to encrypt important files and then demand money to unlock them. The lawmakers said the current requirements for healthcare providers — to notify patients and offer free credit counseling after breaches — only make sense if patient files are the ones encrypted or otherwise affected in the attack.

The lawmakers advised HHS issue a guidance that "aggressively requires" reporting ransomware to the federal government and industry information-sharing groups to prevent further attacks. 

 Lieu and Hurd also suggested HHS tell organizations to wipe their hard drives after a breach, whether or not data was modified.