Rep. Ted Lieu (D-Calif.) may draft legislation that would require hospitals to notify patients in the event of a ransowmare attack, reports Bloomberg BNA.
Federal law requires healthcare organizations and affiliated business entities to report to the government and patients when a data breach compromises sensitive information of 500 or more individuals. However, there's no requirement to report a ransomware attack because such an attack generally just locks data and doesn't extract it, according to the article.
Rep. Lieu called this a "loophole" in legislation and said requiring notification of a ransomware attack will help lawmakers understand how cybercriminals are trying to gain access to information.
"It's difficult for policymakers, or anyone, to have a handle on the problem if we don't get information that it's happening," Rep. Lieu told Bloomberg BNA.
Rep. Lieu's considerations come after a string of ransowmare attacks have struck the healthcare industry. In February, hackers shut down the network at Hollywood (Calif.) Presbyterian Medical Center, and in March, Methodist Hospital in Henderson, Ky., reported a ransomware incident.
This article was updated March 30 to correct the spelling of Rep. Lieu's name. We regret the error.
More articles on ransomware:
Survey: Many security professionals wary their organizations aren't ready to fend off ransomware
Methodist Hospital ransomware attack ends without payment
8 latest ransomware attacks