More than 4,000 ransomware attacks occur daily and healthcare is the largest target. However, despite disclosure requirements and the risk of late or no HIPAA notification at all, breach reporting simply doesn’t match up.
I found some interesting data in a new survey by Healthcare IT News and HIMSS Analytics that showed more than half of hospitals were hit with ransomware from April 2015 to April 2016, but breach reporting to the OCR was practically non-existent.
The Office for Civil Rights (OCR) is an organization within the U.S. Department of Health & Human Services (HHS). Under the Health Insurance Portability and Accountability Act (HIPAA), the OCR can levy significant fines to health care providers and their business associates if personal health information is lost or stolen.
As ransomware attacks have increased, one would expect OCR breach reporting to have increased more or less concurrently, but only nine (!) organizations reported malware or ransomware breaches to OCR in 2016.
"Because ransomware is so common, hospitals aren't reporting them all," said ICIT Senior Fellow James Scott. "And ransomware is just the start for more specific actors to send in another attack and start mapping the system."