Recently, the HHS Office for Civil Rights (OCR) released new HIPAA guidance on ransomware. In their new guidelines, the OCR reinforced that the network security activities required by HIPAA will help organizations prevent, detect, contain, and respond to ransomware and other cybersecurity threats. Their new guidelines include the following activities:

Conduct a security and risk analysis to identify threats and vulnerabilities to your practice’s ePHI.

Establish a plan to mitigate or remediate the risks identified in the security and risk analysis.

Implement policies and procedures to safeguard against malicious software.

Train staff and providers on how to detect malicious software as well as how to report it.

Limit access to ePHI to only those users and/or software platforms that need access to it.

Maintain a contingency plan that includes disaster recovery, emergency operations, and data backups.

Test your contingency plan data restoration policies and procedures.

The OCR recommends understanding ransomware, how it works, and knowing how to spot it before it can encrypt a significant amount of files. The OCR also made it clear that a ransomware attack generally does result in a breach of healthcare information under the HIPAA Breach Notification Rules.