[BreachExchange] MedStar Cyber Attack Shows Need for HHS to Implement Cybersecurity Law

Wed Mar 30 19:54:55 EDT 2016

http://hitconsultant.net/2016/03/30/medstar-cyber-attack/

The FBI is investigating a Monday cyber attack by anonymous hackers that
forced MedStar Health’s 10 hospitals and more than 250 outpatient centers
to shut down their computers and email. After the cyber attack was
discovered, the provider immediately made the decision to take down all of
their systems as a precaution to ensure further security breaches.  The
Washington, D.C.-based healthcare system employs more than 30,000 people
and treats hundreds of thousands of patients in the Washington region. The
incident follows similar cyber attacks targeting at least three other
medical institutions in recent weeks.

“MedStar acted quickly with a decision to take down all system interfaces
to prevent the virus from spreading throughout the organization,”
spokeswoman Ann Nickels said in a statement on Monday. “We are working with
our IT and cyber-security partners to fully assess and address the
situation. Currently, all of our clinical facilities remain open and
functioning.”

On Tuesday, it was reported that MedStar patients were being turned away or
treated without access to the patient’s EHR. By Tuesday evening, MedStar
staff could read — but not update — thousands of patient records in its
central database, a spokeswoman said.

MedStar Cyber Attack Shows Need for HHS to Implement Cybersecurity Law

The chairman of the Senate health committee said the MedStar cyber attack
shows the need for the U.S. Department of Health and Human Services (HHS)
to implement cybersecurity legislation passed by Congress “with the urgency
patients and hospitals deserve.”

“The consequences of cyber attacks like yesterday’s hacking at MedStar
Health can be catastrophic for America’s patients—imagine, an attack
leaving doctors unable to access crucial information in a patient’s health
history or delaying a surgery for hours on end,”Chairman Lamar Alexander
(R-Tenn.) today said. “Congress has passed a law to help keep hospitals and
patients safe from these malicious attacks – calling for Health and Human
Services to give hospitals and doctors clear information on the best ways
to prevent a hack in the first place and putting someone at the agency on
the flagpole if a cyber attack occurs. Yesterday’s attack, which,
unfortunately, is not unique, shows the need for HHS to implement the law
with the urgency patients and hospitals deserve.”

The attack on MedStar Health forced the hospital chain, which serves
hundreds of thousands of patients, to shut down its email and health
records database in an effort to keep the virus from spreading further
throughout the organization. Yesterday’s incident follows similar cyber
attacks targeting at least three other medical institutions in recent weeks.

Cybersecurity Information Sharing Act of 2015

Last year, the Senate health committee authored a provision, which passed
as part of the Cybersecurity Information Sharing Act of 2015, that would
help protect the health care industry from cyber attacks by:

– Charging HHS and its subdivisions with naming an official who is
responsible for leading the agency’s cybersecurity efforts—to coordinate
response and so health organizations will know who is in charge of offering
guidance and support;

– Requesting that the agency issue a report on emerging cyber threats in
the health care industry, so both the agency and the American public have
an accurate picture of the impact of these attacks;

– Creating a task force of health industry leaders and cybersecurity
experts to identify the biggest challenges in securing against cyber
threats and recommend specific solutions to the agency;

– Charging the task force to create a central resource to distribute cyber
intelligence from the federal government to health care organizations in
near real time, so they can rapidly respond to active threats; and

– Instructing HHS to create a series of best practices for health industry
leaders to follow—on a voluntary basis—to help them keep their
organization’s data as secure as possible.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160330/4ce2dc3d/attachment-0001.html>