The Office for Civil Rights (“OCR”) released guidance on July 11, 2016 regarding ransomware and HIPAA. This guidance outlines activities supported by HIPAA that will assist Covered Entities and Business Associated in either preventing or quickly responding to ransomware attacks. To illustrate, the guidance calls for:

  • Implementing a security management process, including conducting a risk analysis and mitigating identified risks;
  • Implementing processes and technology to guard against and detect malicious software;
  • Training users on malicious software protection and reporting of malicious software detections with specific emphasis on ransomware;
  • Implementing controls to limit access to ePHI; and
  • Maintaining an overall contingency plan.

The OCR advice identifies how ransomware attacks can be analyzed to assess breach notification requirements under HIPAA. It is critical to understand that OCR expects covered entities and business associates to report ransomware attacks as a breach.  The only condition for not reporting is if the organization can show, through a documented breach risk assessment, that there is a low probability that the protected health information was compromised.

According to Jennifer Rathburn and Rachel Bryers at Quarles and Brady, LLP, included with this guidance was a letter from Sylvia Burwell, Secretary of the U.S. Department of Health and Human Services, addressed to health care company CEOs. This letter, dated June 20, 2016, highlights the increasing threat of ransomware, and emphasizes key points about ransomware that CEOs should share with senior leadership. One of the main points noted in the letter and its attached inter-agency guidance is the significance of cybersecurity preventive measures to help protect against these ransomware attacks. The letter also outlines appropriate steps that can be taken by an organization in response to a ransomware attack, including considerations when determining whether to pay the demanded ransom.

These documents emphasize the importance OCR is placing on ransomware attacks, and that organizations are expected to implement top-down organization support, comprehensive policies and procedures, appropriate technologies and contingency plans to prevent, detect, respond to, and remediate these attacks.

The guidance can be found at:

Rich Curtiss

Rich Curtiss

Principal Consultant at Clearwater Compliance
Mr. Curtiss has over 35 years of diverse, executive IT experience across several verticals including Healthcare, Finance, Department of Defense, Intelligence Community and Consulting Services.Rich has served in executive information technology and cybersecurity positions as a CIO, CISO, Director and Program Manager. He's a member of the Clearwater consulting team.
Rich Curtiss