Ransomware a 'legal ambiguity,' not quite a data breach

The recent string of ransomware attacks in healthcare brings to light a new question: Are ransomware attacks considered data breaches, and as such, what are the ramifications if a hospital is targeted with this particular type of malware?


There is no legal requirement for hospitals to report a ransomware attack. When a system is hit with ransomware, computer files generally just lock up and become inaccessible. The cybercriminal perpetrating the attack doesn't extract or access that data. Therefore, there is no real breach of data and no legal obligation to report the incident to the federal government.

Dan Munro, a healthcare innovation and policy writer for Forbes, writes ransomware presents a "legal ambiguity" in regard to HIPAA regulations because there technically is no breach of protected health information in these ransomware attacks.

Some lawmakers want to change that classification, such as Rep. Ted Lieu (D-Calif.), who is considering drafting legislation that would require hospitals to notify patients of a ransomware attack, according to Bloomberg BNA. Rep. Lieu said the fact that hospitals don't have to report ransomware attacks because there is no compromised PHI is a "loophole" in the legislation, and requiring hospitals to report such attacks will help cyber defenses.

"It's difficult for policymakers, or anyone, to have a handle on the problem if we don't get information that it's happening," Rep. Liu said in the report.

And ransomware attacks certainly are happening. Mac McMillan, co-founder and CEO of healthcare security and privacy consulting firm CynergisTek, told Becker's Hospital Review in previous comments some hospitals report tens of thousands of suspected ransomware events every day. Often times these attacks are caught and mitigated before they can paralyze a computer system, but the number of successful attacks is increasing.

Healthcare remains a target for hackers and cybercriminals, and if recent ransomware events are any indication, the number of attacks will continue to grow. This fact, Mr. Munro writes, is where the industry's concerns should lie.

"Ultimately it's not the type or brand of virus that's used to infect healthcare — or even the lack of visibility on the part of regulators to see what's really happening," Mr. Munro said. "It's the message of lax security that's being broadcast to cybercriminals around the world. That message is all too clear. U.S. healthcare is both a rich target and easy prey." 

More articles on ransomware:

3 new ransomware variants to know 
Survey: Many security professionals wary their organizations aren't ready to fend off ransomware 
8 latest ransomware attacks 

Copyright © 2024 Becker's Healthcare. All Rights Reserved. Privacy Policy. Cookie Policy. Linking and Reprinting Policy.


Featured Whitepapers

Featured Webinars