- While cyberattacks on healthcare organizations are on the rise, some ransomware attacks go unreported because they don’t expose patients’ medical or financial information, The Wall Street Journal reported. For example, HHS doesn’t require health systems to report ransomware attacks, which hold computer networks hostage until a ransom is paid, despite their disrupting hospital operations and patient services.
- Now two congressmen want to close that loophole. Reps. Ted Lieu (D-Calif.) and Will Hurd (R-Texas) are pressing HHS to mandate hospital reporting of ransomware attacks.
- The push comes as HHS is warning healthcare organizations of a new potential threat called Hidden Cobra, which takes advantage of vulnerabilities in Microsoft products, according to Becker’s Health IT & CIO Review.
When cyberattacks and breaches of patient information are reported, other hospitals can learn from the experience and take steps to defend themselves from similar future attacks. If some breaches aren’t publicly reported, the ability to prepare for vulnerabilities is limited.
Ransomware has been a popular vehicle for hospital attacks. In February 2016, Hollywood Presbyterian Medical Center paid cybercriminals roughly $17,000 in bitcoin after a ransomware attack. Columbia, Md.-based MedStar Health and Chino Valley Medical Center and Desert Valley Hospital all were also victims of ransomware attacks last year.
In May, the international WannaCry ransomware attack froze computers at hospitals across the United Kingdom, forcing them to suspend services and turn patients away. The ransomware entered computers via phishing emails and demanded payment in bitcoin to release the files it had encrypted. More than 40 hospitals were affected.
Worldwide, Europol stated in May the attack hit more than 150 countries affecting more than 200,000 individuals, The Washington Post noted. HHS said there was evidence the attack hit organizations in the U.S., too, but didn’t provide many details. The agency suggested this month any WannaCry-infected hospitals report the event to the U.S. Secret Service Electric Crimes Task Force or the FBI Field Office Cyber Task Force.