Hospital and health system executives are on notice: Come clean about ransomware attacks as early as possible or be prepared to face sanctions.
Ransomware, the scourge of healthcare IT for much of 2016, is no longer something healthcare executives can try to sweep under the rug.
A pronouncement from CMS last week clarifies that any ransomware attack is also likely a data breach which must be reported like any HIPAA violation.
This puts healthcare executives on notice that they must come clean about ransomware attacks as early as possible or potentially face sanctions.
"Several organizations I'm aware of that have been hit by ransomware attacks and they managed to keep [such knowledge] internal," says Dean Sittig. He is the co-author of paper on ransomware published last month in Applied Clinical Informatics.
In particular, Sittig, a clinical informatics professor at the University of Texas Health Science Center at Houston (UTHealth) and the UTHealth-Memorial Hermann Center for Health Care Quality and Safety, had critical words for MedStar Health, the Washington, D.C.-area health system hit by a ransomware attack this spring.
"MedStar officially came out and said 'no, it wasn't ransomware,' and then about a few hours later, a picture of the screen [goes public] showing the ransomware that's on the networks" of the organization, Sittig says.
Similarly, during the attack, MedStar officially denied it was diverting patients to other hospitals, until another unauthorized disclosure revealed an e-mail sent out by MedStar advising not to admit any more patients during the attack, he says.
"It's usually when someone in the organization gets mad at their organization [that] they go to the press," Sittig adds.
Potential for Big Fines
Now, with the CMS guidance, Sittig expects organizations will opt to publicly report ransomware attacks in the kind of timely manner that other breach notifications are reported.
Prior to this, it is conceivable that some healthcare organizations just considered paying ransoms as a small added cost of doing business, provided the ransom was paid quickly and operations continued much as normal, Sittig says.
"Recently there's been a couple of ransomware attacks where it looks like they [have] not only encrypted all your data, but also made a copy of your data and taken it," he says.
Scott Mace is the former senior technology editor for HealthLeaders Media. He is now the senior editor, custom content at H3.Group.