While, thankfully, reports of kidnappings and hostage takings are extremely rare on U.S. soil, U.S. companies and governmental entities are increasingly becoming targets of extortion cyber attacks called rasomware attacks. Using encryption viruses that are often disguised as email links or attachments, would-be thieves are able to access “compromised computer files” and essentially hold them ransom. In cases where a company fails to pay a Bitcoin ransom, the thieves threaten to delete all of the affected files.
While health care institutions have scrambled to ensure that they are in compliance with the Health Information Technology for Economic and Clinical Health Act with regard to the implementation of electronic health records, few have security measures in place to prevent against ransomware attacks.
In recent weeks, several hospitals reported being the targets of ransomware attacks, which confirms the vulnerability of patients’ health care records as well as a general lack of vigilance and preparedness when it comes to cyber security. However, some of the blame lays with legislatures whose efforts to pass HITECH along with its aggressive mandated EHR deadline, has exposed and thereby made it easier to exploit the health care industry’s security weaknesses.
Currently, HITECH requires that health care organizations alert patients when their medical records are breached. However, nothing in the law pertains to ransomware attacks and the notification of patients whose records are frozen and in jeopardy of being deleted. To address this issue, the director of the Bureau of Consumer Protection at the Federal Trade Commission has called upon both Republican and Democrat lawmakers to pass legislation that would allow impacted patients to “seek civil penalties.”
Source: SC Magazine, “FTC, legislators call for improvements in health-care IT laws, including ransomware protection,” Bradley Barth, March 22, 2016
SC Magazine, “An answer to ransomware?,” Marcos Colon, April 1, 2016