​Similar to handwashing before clinical procedures, healthcare organizations must develop habits for cybersecurity prevention measures, states Sylvia Burwell, Secretary of the Department of Health and Human Services (HHS), in a cover letter accompanying recently-issued federal guidance aimed at directing the healthcare community's attention to the increasing threat of ransomware. Ransomware events, in which an attacker gains access to an organization's information systems, encrypts the data, and holds it hostage until a payment is received, have recently victimized several healthcare organizations. Citing the uniquely disruptive and debilitating consequences of a ransomware attack to daily operations, Secretary Burwell urged organizations to implement prevention measures such as education, proper cyber hygiene, comprehensive backup and recovery procedures, and continuity planning. Educational materials accompanying the guidance strongly discourage the payment of ransom in response to cyberattacks, citing risks to victims such as being asked for increasing sums of money, being targeted multiple times, and not being able to decrypt data despite having paid the ransom. Secretary Burwell urged healthcare organizations to contact a Federal Bureau of Investigation Field Office Cyber Task Force or a local U.S. Secret Service field office immediately in the event that they are victimized by a ransomware attack. In related news, Representatives Ted Lieu (D-California) and Will Hurd (R-Texas) called on the deputy director for health information policy at the HHS Office for Civil Rights to treat ransomware attacks differently than other cyberattacks. The Congressmen argued that current requirements for providers to notify patients and provide free credit counseling after breaches are only appropriate if patient files are affected in a ransomware attack, and urged HHS to "aggressively require" the reporting of ransomware attacks to the federal government and industry groups in an effort to thwart additional attacks.

HRC Recommends: Cyberattacks are devastating to healthcare organizations' operations, finances, and reputations; organizations should have plans for managing cyberattacks large and small. In addition to a cybersecurity risk assessment based on the organization's current network infrastructure and medical device inventory, a healthcare organization's information technology management plan should include reliable safeguards against cybersecurity threats, reliable back-up systems, and a mitigation plan in the event of network infiltration and malware infection.