The federal government says that hospitals and other organizations that process or store patient health care information must report cyber breaches to HHS. But the rules are murky, and some of the worst cyberattacks have not been brought to light, the Wall Street Journal reports.
The newspaper focuses on attacks by hackers using ransomware, which keeps the data under lock until the victim organizations pay up. So, technically, no patient medical information is released in such circumstances, which means health care organizations can avoid the embarrassment—as well as the competitive and financial fallout—that making such an attack public knowledge would generate.
As an example, the Wall Street Journal cites MedStar Health, which owns 10 hospitals and more than 300 outpatient centers. It suffered a cyberattack last year that disrupted its vast electronic-record system. “Doctors logged patient details with pen and paper,” the newspaper reports. “Laboratory staff faced delays delivering test results.”
Yet MedStar Health did not have to report the attack to HHS. “HHS rules say hospitals need only report attacks that result in the exposure of private medical or financial information, such as malware that steals data,” the newspaper reports. “When ransomware’s data encryption meets that threshold is a gray area.”
Some members of Congress want to close this loophole. Leo Scanlon, deputy chief information security officer for HHS, cited a vast cyberattack by an organization called WannaCry in testimony before the House this month. That attack “highlighted the disturbing reality that the true state of cybersecurity risk in this sector is underreported by orders of magnitude,” Scanlon said.
Source: Wall Street Journal