- Earlier this week, Reps. Ted Lieu, D-Calif., and Will Hurd, R-Texas, sent a letter to Deven McGraw, deputy director of the Office of Civil Rights of the Department of Health and Human Services (HHS), calling for his agency to issue ransomware attack guidance to provider organizations.
- The lawmakers called for a patient notification if a ransomware attack prevents a healthcare provider from accessing electronic medical records or if it loses the ability to provide medical services, according to the letter.
- Lieu and Hurd said the a notification should take place "without unreasonable delay" immediately following a breaches' discovery, "consistent with the needs of law enforcement."
This is not the first time Lieu and Hurd have teamed up to call for technology-related action. Particularly concerned about security, the bipartisan lawmakers urged their colleagues in May to use end-to-end encryption, allowing for more secure communications and improving the security culture in the House of Representatives.
With the new guidance, the lawmakers want to make it clear that ransomware attacks are unlike other conventional attacks. Both former computer science majors, the pair focuses on the nuances of security and the potential risks that many agencies face.
"In the case of a ransomware attack, the threat is not usually to privacy, but typically to operational risks to health systems and potential impacts on patient safety, and service," the Representatives said in the letter.
Because the ransomware could deny access to health records, it has the potential to impact patient safety. As an example, the lawmakers cited the MedStar attack from earlier this year, where patients were turned away because the hospital chain did not have the resource to treat them while ransomware locked its systems.
Lieu and Hurd also asked the agency to offer "clear guidance" about the threat of data modification, where, during a ransomware attack, there is the threat that entire server or drives could be deleted.