New HHS Guidance for HIPAA and Ransomware

Computer screen with lines of code

The U.S. Department of Health and Human Services (HHS) has released a new guidance on ransomware and HIPAA at a time when healthcare organizations are increasingly faced with new cybersecurity threats. The guidance aims to provide healthcare organizations with information about ransomware attack prevention and recovery. This guidance is intended to assist HIPAA-covered entities and business associates to prevent and recover from ransomware attacks, and it offers information on how HIPAA breach notification processes should be managed in response to a ransomware attack.

The new guidance is a summary of industry’s best practices. The guidance recommends that organizations identify the risks facing their patient information, create a plan to address those risks, set up procedures to protect systems from malware, train users to spot malware, limit access to sensitive information to only the people who need it most, and have a disaster recovery plan that includes frequent data backups. The guidance fact sheet can be found here. Read more on this topic at the hhs.gov blog.

If you have any questions or concerns, please contact the MHRI Office of Research Integrity.