Senior Communications Manager
Kirk Nahra Comments on Congressional Request for New Ransomware Guidance
Kirk J. Nahra, chair of Wiley Rein’s Privacy Practice and co-chair of the Health Care Practice, was quoted in Healthcare Info Security about a recent letter from two members of Congress to the U.S. Department of Health and Human Services (HHS) regarding ransomware.
Reps. Ted Lieu (D-CA) and Will Hurd (R-TX) asked HHS’ Office for Civil Rights (OCR) to ensure that its upcoming guidance on ransomware addresses the differences between ransomware attacks and other types of data breaches.
Mr. Nahra noted that the letter reflects some areas of confusion when it comes to ransomware attacks and patient notification issues. “It is certainly correct that the ‘typical’ ransomware event—if there is such a thing—is different than many other situations where patients have been notified about security breaches,” such as when data is lost or stolen, he said.
He explained that in a ransomware attack, the data typically isn’t “taken.” Rather, “it is simply ‘locked’ so that the right person, for example, a hospital, can’t access it,” he said. “That is a very different kind of event.”
Mr. Nahra also pointed out that current breach notification laws require reporting to the government only when there is notice to an individual. “So, while it might make sense to develop a new rule or law relating to notice to the government in situations where no notice to an individual makes sense, that also is not current law.”
He added that even if OCR were to include in its guidance that entities hit by ransomware attacks notify HHS, current HIPAA rules do not support that requirement. “HIPAA today does not have any general ‘notify the government’ obligation independent of an obligation to notify individuals.”
To read the complete article, please click here.