Hospital and health system executives are on notice: Come clean about ransomware attacks as early as possible or be prepared to face sanctions.
Ransomware, the scourge of healthcare IT for much of 2016, is no longer something healthcare executives can try to sweep under the rug.
A pronouncement from CMS last week clarifies that any ransomware attack is also likely a data breach which must be reported like any HIPAA violation.
This puts healthcare executives on notice that they must come clean about ransomware attacks as early as possible or potentially face sanctions.
"Several organizations I'm aware of that have been hit by ransomware attacks and they managed to keep [such knowledge] internal," says Dean Sittig. He is the co-author of paper on ransomware published last month in Applied Clinical Informatics.
In particular, Sittig, a clinical informatics professor at the University of Texas Health Science Center at Houston (UTHealth) and the UTHealth-Memorial Hermann Center for Health Care Quality and Safety, had critical words for MedStar Health, the Washington, D.C.-area health system hit by a ransomware attack this spring.
"MedStar officially came out and said 'no, it wasn't ransomware,' and then about a few hours later, a picture of the screen [goes public] showing the ransomware that's on the networks" of the organization, Sittig says.
Similarly, during the attack, MedStar officially denied it was diverting patients to other hospitals, until another unauthorized disclosure revealed an e-mail sent out by MedStar advising not to admit any more patients during the attack, he says.
"It's usually when someone in the organization gets mad at their organization [that] they go to the press," Sittig adds.
Potential for Big Fines
Now, with the CMS guidance, Sittig expects organizations will opt to publicly report ransomware attacks in the kind of timely manner that other breach notifications are reported.
Prior to this, it is conceivable that some healthcare organizations just considered paying ransoms as a small added cost of doing business, provided the ransom was paid quickly and operations continued much as normal, Sittig says.
"Recently there's been a couple of ransomware attacks where it looks like they [have] not only encrypted all your data, but also made a copy of your data and taken it," he says.
"The new HHS guidance is going to really ratchet up people's attention, because now you're also talking about big fines from the government, as well as the effects of the ransomware."
Conceivably, certain ransomware attacks might still not rise to the level of a HIPAA breach, but the conditions seem unlikely, Sittig says.
"Unless you can prove the data didn't leave the system and that it was encrypted, then you have to report it as a HIPAA breach," he says.
CMS guidance and HIPAA violations or not, Sittig expects ransomware attacks to continue as long as the ransom-demanders stand to make any money.
"The only problem with that is a few of the people that have paid the ransoms haven't gotten their data back," he says.
"If they don't release the data when someone pays the ransom, it will quickly get out, and no one else will ever pay a ransom again. But people are not going to stop doing ransomware just because the government puts out a thing like this. They're going to keep doing it until it doesn't pay anymore."
For more on ransomware and data breach strategies, join Hussein Syed, chief information security officer, Barnabas Health, for the HealthLeaders Media webcast, "Preparing for Ransomware and Surviving Today's Data Breaches" on Wednesday, July 20 from 1:00 – 2:00 PM ET.
Scott Mace is the former senior technology editor for HealthLeaders Media. He is now the senior editor, custom content at H3.Group.