Should Ransomware Infections Count As Data Breaches? (Yes.)
A proposal circulating in Congress would classify ransomware infections in healthcare settings as de-facto breaches. Fair? You betcha.
Ransomware has been plaguing healthcare organizations across the U.S. in recent years: crippling clinical environments and extracting payments from an unknown number of healthcare organizations desperate to restore access to life saving systems.
The silver lining – if there is one – is that ransomware incidents have been understood to be single purpose attacks: designed to generate a payday for their operators. Period. Wholesale compromises of healthcare environments and the theft of healthcare data haven’t been part of the plan. Or, at least, that’s the story we’ve been told.
Typical of these were attacks on hospitals in Kentucky and California in March, including Chino Valley Medical Center and Desert Valley Hospital in California, which are operated by Prime Healthcare. In a statement released to Security Ledger at the time, a spokesman for Prime Healthcare, an organization that operated two affected facilities, noted that no ransom was paid and “no patient or employee data compromised.”
But ransomware attacks' continued growth in frequency and sophistication begs the question: should ransomware infections be considered data breaches?
That’s an idea that is gathering steam within policy circles in Washington D.C. As my good friend (and fellow Digital Guardian Blog contributor) Dennis Fisher noted on the OnTheWire blog last week, the Department of Health and Human Services’ Office for Civil Rights (OCR), which has responsibility for health information privacy, is working on guidance for healthcare organizations on dealing with ransomware attacks, and U.S. Congressman Ted Lieu (D-CA) is eager to ensure that the guidance specifically addresses how ransomware attacks fall under data breach laws. Further, Lieu has written a letter to HHS to urge regulators (PDF) to require disclosures of ransomware attacks that affect access to patient records, even in the absence of a data breach involving the viewing of patient health information. Ransomware attacks are different in that they affect healthcare operations and may deny access to patient records, Lieu noted. That kind of impact could affect patient care and should be something that patients are made aware of, even if no theft of records or leak of patient data results, Lieu argues.
“We suggest that patient notification would… make sense in cases where the ransomware attack results in either a denial of access to an electronic medical record and/or loss of functionality necessary to provide medical services,” Lieu wrote. “In such cases, the notification should be made to affected parties without reasonable delay following the discovery of a breach.”
The argument that Lieu doesn’t make, but easily could, would be that ransomware infections require a level of access that could easily encompass the theft or viewing of patient records, even if there’s little evidence to suggest it happened. The truth is that proving unauthorized access to a network led to data theft is difficult to do. Proving that stolen data was subsequently used for criminal purposes is also difficult. But saying that worst-case scenarios are hard to prove doesn’t mean that they never happen, or that we shouldn’t otherwise assume that they happened. That’s especially true as “ransoming” becomes a feature within multi-function malware: just another check box option for cyber criminals alongside data theft, denial of service botnets and spamming.
Another argument may be that OCR directives are a great way to get the attention of healthcare organizations, which have been charged with being overly concerned with the protection of patient information at the expense of more holistic security.
For more on ransomware attacks, check out this Security Ledger podcast with Digital Guardian’s global security advocate Thomas Fischer, who talks about why ransomware is such a big problem for businesses these days.