A new Department of Health and Human Services guide stresses that cybersecurity requirements under healthcare regulations do apply to ransomware and can help organizations prevent and mitigate such attacks, but lawmakers say new statute might be necessary to effectively handle the threat. This new guide was released because lawmakers wanted the difference between ransomware and other cyber-attacks to be clarified. Reps. Will Hurd from Texas and Ted Lieu from California wrote to HHS to ask about the guidelines that HIPAA would comply with ransomware attacks.
“I am pleased the Department of Health and Human Services has responded to the concerns outlined in our letter and issued guidance making clear that most ransomware and malware attacks should be considered a breach under the HITECH law,” Lieu said in a statement. “This means ransomware and malware intrusions would be subject to risk assessments and disclosure requirements.” Lieu went on to say, “Statutory changes may be necessary in order to enable HHS and the industry to better collaborate and respond. I will continue to meet with experts, officials and advocates in the field to determine the best approach to protect the public from these cyber-attacks.”