On July 11, 2016, the Department of Health and Human Services – Office for Civil Rights (“OCR”), the office that enforces the Health Insurance Portability and Accountability Act (“HIPAA”), sent out an email detailing new guidance to help health care organizations fight ransomware attacks. These attacks are increasing in frequency and protected health information (“PHI”) held by health care organizations presents a particularly attractive target. Further details on ransomware and an outline of OCR’s guidance are provided below.

What is “ransomware”?

Ransomware is an increasingly popular form of cyber-attack on information resources. The malicious software typically infiltrates the system undetected, often through spam and phishing messages that trick authorized users into opening attachments or visiting websites that allow the software to enter the system. Once the ransomware has infiltrated the system, it can be used to deny access by the user to files, often by encrypting the data. The actor who controls the ransomware program will then demand a ransom to provide the encryption key or otherwise unblock access to the files. While ransomware can be used to target a wide range of business and personal devices, health care organizations are a particularly attractive target for criminals due to the sensitivity and criticality of the information they maintain.

OCR Guidance

OCR’s ransomware guidance (available in full here), provides tips for health care organizations to prevent and recover from ransomware attacks, including certain HIPAA-specific considerations:

  • Prevention. The guidance highlights the need for a thorough security management process as a key step in preventing ransomware attacks. Such a process should include a risk analysis to identify threats and vulnerabilities to electronic PHI (“ePHI”) and a risk management plan to implement security measures to address such risks, both of which are generally required by HIPAA. Specifically, measures to defend against this type of malware should also be implemented (for example, regular updates to network device firmware).
  • Detection. While ransomware is often only detected after access to files is denied, the organization should still attempt to look for early indications. Employees should receive regular training on ransomware and other types of malware, including how to detect and report such incidents. If members of the workforce are able to recognize red flags such as malicious attachments, increased CPU or disk activity for no apparent reason, or the inability to open certain files, such information could in principle help to minimize the impact of an attack (or in some cases, prevent it).
  • Response. Of course, prevention and detection will not always be enough to mitigate the effects of ransomware. As such, organizations should have a contingency plan in place that includes procedures for containing the attack and determining its scope, origin, and the security measures that may need to be implemented or strengthened in response. Organizations should also have emergency operations plans and maintain backups and testing in order to increase the ability to maintain operations during the attack and recover after the fact.

In addition to the above, OCR’s guidance clarifies that a ransomware attack could be considered a breach under the HIPAA Breach Notification Rule. This means that, in certain circumstances, covered entities under HIPAA experiencing a ransomware attack might be required to notify individuals, the media, and the Secretary of Health and Human Services. By way of example, OCR noted that the encryption of ePHI during a ransomware attack could result in a breach, since the ePHI would have been taken into the possession or control of an unauthorized individual, resulting in a “disclosure” not permitted by HIPAA. 

This new guidance highlights not only OCR’s role in helping the health care industry combat new threats, but also its expectation that health care organizations will take a proactive approach to addressing them. As such, health care organizations should evaluate their security programs, and develop or update policies and procedures and other security measures, as needed to respond to new challenges.

Contributors – Michael Egan and Jeff Dunifon


Brian provides advice on global data privacy, data protection, cybersecurity, digital media, direct marketing information management, and other legal and regulatory issues. He is Chair of Baker McKenzie's Global Data Privacy and Security group.