With HIPAA compliance training, ideally your practice will know a ransomware attack is underway because of the detection and reporting training provided to all end users. However, most practices aren’t aware an attack is happening until data is encrypted and payment is demanded. The Office for Civil Rights (OCR) has developed a series of recommended steps to be taken once a ransomware attack has been detected in order to protect patient information:

Determine the scope of the incident such as which networks, systems, and applications are being affected.
Try to determine the method of attack and areas of vulnerability. Try to ascertain whether the attack is complete or if it has initiated other attacks.
Contain the impact of the ransomware and determine whether the attack caused a breach of electronic protected health information (ePHI).
If an ePHI breach has occurred, your practice must follow HIPAA breach notification provisions. If the breach affected more than 500 people, your practice must notify the affected patients, the Secretary of HHS, and the media.
Remove all instances of vulnerability that enabled the attack. This could be a system issue, human error, or both.
While restoring data, your practice can return to normal daily operations.
Post-incident, your practice should review its processes in order to incorporate lessons learned into security management and emergency plans.

A few ransomware prevention steps the FBI recommends are listed below:

Those with an administrator account should only use their administrator access as needed. Otherwise, the user should use a standard account.
Disable macro-script from email office files.
Whitelist only those programs approved by the security management protocol.