The European Data Protection Board has issued new advice to hospitals regarding what action to take in the event of a cyber-attack.
Currently released in draft form, the new set of recommendations urges healthcare providers hit with ransomware to report the attack even if no patient data is accessed or exfiltrated.
The guidelines state: "The internal documentation of a breach is an obligation independent of the risks pertaining to the breach and must be performed in each and every case."
A series of attack scenarios are described in the recommendations along with appropriate prior measures, risk assessment, mitigation, and obligations.
"The fact that a ransomware attack could have taken place is usually a sign of one or more vulnerabilities in the [data] controller's system," state the guidelines.
In example case number three, a hospital suffers a ransomware attack in which data was encrypted but not exfiltrated and backups of the data are available in an electronic form. Such an attack could have a large impact on patients, according to the EDPB.
"The quantity of breached data and the number of affected data subjects are high, because hospitals usually process large quantities of data," state the guidelines.
"The unavailability of the data has a high impact on a substantial part of the data subjects. Moreover, there is a residual risk of high severity to the confidentiality of the patient data."
Despite data restoration's being possible in this circumstance, the EDPB said such an attack still posed a big risk to patient data.
"The type of the breach, nature, sensitivity, and volume of personal data affected in the breach are important," state the guidelines.
"Even though a backup for the data existed and it could be restored in a few days, a high risk still exists due to the severity of consequences for the data subjects resulting from the lack of availability of the data at the moment of the attack and the following days."
The guidelines go on to say that patients who experience major delays in care as a result of a ransomware attack should be informed directly of the attack by the data controller.
“It might be a step too far, to require a communication like this,” commented Dirk Schrader, global vice president at New Net Technologies (NNT).
“The formulated requirement to communicate a data breach to patients affected with the delays caused by it, can create another path for extortion by attackers.”