HHS Offers HIPAA Guidance on Preventing and Responding to Ransomware Attacks

Last Updated: Oct 2, 2019

data-securityCyberattacks – such as those involving ransomware – are becoming increasingly common.

The health care industry is not immune to such attacks.

On Oct. 1, 2019, a ransomware attack on DCH Health System in Alabama forced the system to temporarily close its three hospitals to most new patients. And, a clinic in California announced it plans to close in December 2019 following a ransomware attack that prevented clinicians from accessing patient records. 

What is ransomware?

The U.S. Department of Health and Human Services Office for Civil Rights (HHS-OCR) says that ransomware is a type of malicious software (also known as "malware") that encrypts data with a key known only to the hacker, making data inaccessible to authorized users. The hacker might then demand a ransom—often in the form of an online currency such as Bitcoin—in order to decrypt the data.

Common ways for a ransomware attack to be initiated include spam, phishing messages, and email attachments.

Why is it important to protect against ransomware and other malicious software?

HIPAA requires both covered entities and business associates to develop and implement security incident procedures as well as response and reporting processes that are reasonable and appropriate to responding to security incidents like a ransomware attack.

How can I find cybersecurity resources for health care organizations? 

HHS-OCR offers a Cyber Security Guidance webpage that can help health care organizations respond to cyber-related security incidents. Its resources include:

The American Medical Association offers physician cybersecurity resources here.

PAMED members who have questions can also contact our Knowledge Center at 855-PAMED4U (855-726-3348) or

Login to be able to comment

Leave a comment