CONGRESSMAN LIEU STATEMENT ON NEW HHS GUIDANCE ON RANSOMWARE

WASHINGTON – Today, Congressman Ted W. Lieu (D | Los Angeles County) issued the following statement regarding new guidance by the Department of Health and Human Services on how to respond to the threat of ransomware attacks.

UNITED STATES - FEBRUARY 3: Rep. Ted Lieu, D-Calif., participates in the House Oversight and Government Reform Committee hearing on "Inspectors General: Independence, Access and Authority" on Tuesday, Feb. 3, 2015. (Photo By Bill Clark/CQ Roll Call)

UNITED STATES – FEBRUARY 3: Rep. Ted Lieu, D-Calif., participates in the House Oversight and Government Reform Committee hearing on “Inspectors General: Independence, Access and Authority” on Tuesday, Feb. 3, 2015. (Photo By Bill Clark/CQ Roll Call)

After several high profile ransomware attacks against American hospitals in March 2016, Congressman Lieu expressed concerns that hospitals and health providers lacked clear rules and regulations as how to respond to ransomware attacks.  In May, the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) announced it would issue guidance to health providers on how to respond to ransomware attacks under HIPAA and HITECH.  On June, 27, 2016, Representatives Lieu and Hurd wrote a letter to OCR urging them to utilize the guidance to make clear that ransomware attacks constitute a breach under HIPAA and HITECH regulations and lay out clear parameters on how to respond to protect the public.

“I am pleased the Department of Health and Human Services has responded to the concerns outlined in our letter and issued guidance making clear that most ransomware and malware attacks should be considered a breach under the HITECH law.  This means ransomware and malware intrusions would be subject to risk assessments and disclosure requirements.  I am also pleased the Office of Civil Rights updated and reinforced best practices on how to respond to and mitigate the effects of ransomware attacks to ensure continued access to personal health information and availability of health care services.”  

“The guidance is a substantial improvement in making sure that hospitals and health providers take steps to address the threat of ransomware and to notify the public.  However, the guidance may have some room for improvement when it comes to responding to the public safety threat posed by ransomware.  The authority granted to HHS by HIPAA and HITECH is limited to protecting privacy concerns.  Statutory changes may be necessary in order to enable HHS and the industry to better collaborate and respond.  I will continue to meet with experts, officials and advocates in the field to determine the best approach to protect the public from these cyber-attacks.”