HHS Offers HIPAA Guidance on Preventing and Responding to Ransomware Attacks

Last Updated: Jul 5, 2017

Cyberattacks – such as those involving ransomware – are becoming increasingly common. A May 2017 attack known as "WannaCry" caused multiple infections in as many as 150 countries. And, a global ransomware attack on June 27, 2017, is having an impact on organizations in the United States, including pharmaceutical company Merck.

What is ransomware?

The U.S. Department of Health and Human Services Office for Civil Rights (HHS-OCR) says that ransomware is a type of malicious software (also known as "malware") that encrypts data with a key known only to the hacker, making data inaccessible to authorized users. The hacker might then demand a ransom—often in the form of an online currency such as Bitcoin—in order to decrypt the data. Common ways for a ransomware attack to be initiated include spam, phishing messages, and email attachments.

Why is it important to protect against ransomware and other malicious software?

HIPAA requires both covered entities and business associates to develop and implement security incident procedures as well as response and reporting processes that are reasonable and appropriate to responding to security incidents like a ransomware attack.

HHS-OCR offers a Cyber Security Guidance webpage that can help health care organizations respond to cyber-related security incidents. Its resources include a cyber security checklist and a ransomware fact sheet.

More Resources

Additional information on cybersecurity is available through a variety of U.S. government agencies:

The AMA also offer these resources:

PAMED members who have questions can also contact our Knowledge Center at 855-PAMED4U (855-726-3348) or KnowledgeCenter@pamedsoc.org.

Leave a comment

Return to the art of medicine - MACRA

Norcal Mutual

Learn More