The Wall Street Journal | By Melanie Evans | June 18, 2017 3:30 p.m. ET:
Some breaches at hospitals involving ransomware don’t have to be made public, a loophole some are trying to close.
A cyberattack last year paralyzed MedStar Health computers, forcing the Maryland operator of 10 hospitals and more than 300 outpatient centers to shut down its entire electronic-record system. Doctors logged patient details with pen and paper. Laboratory staff faced delays delivering test results.
“It was three weeks before we got most of everything that was important to us on a daily basis back and operational,” Craig DeAtley, director of the MedStar Institute for Public Health Emergency Readiness, said during a panel organized by federal health officials last year to address cyberthreats.
Yet the attack—and others last year at hospitals in California and Kentucky—don’t appear on the U.S. Department of Health and Human Services’s public list of data breaches. The attacks involved ransomware, a type of software that locks away data until victims pay a ransom. HHS rules say hospitals need only report attacks that result in the exposure of private medical or financial information, such as malware that steals data. When ransomware’s data encryption meets that threshold is a gray area.
Proponents for more mandatory reporting say this regulatory gap limits the health-care system’s ability to fight cybercriminals. Hospitals left in the dark about attacks hitting their rivals are less likely to be ready to defend themselves, they say.
To read full article – please click here.
