News Archive

Your Money or Your PHI: New Guidance on Ransomware

July 14, 2016

According to Jocelyn Samuels, director of the HHS Office for Civil Rights,"One of the biggest current threats to health information privacy is the serious compromise of the integrity and availability of data caused by malicious cyberattacks on electronic health information systems, such as through ransomware."

To help health care entities better understand and respond to the threat of ransomware, OCR has released new Health Insurance Portability and Accountability Act (HIPAA) guidance on ransomware.

What is ransomware? Ransomware is a type of malicious software that encrypts data with a key known only to the hacker and makes the data inaccessible to authorized users. The hacker demands that authorized users pay a ransom in order to obtain a key to decrypt the data. Ransomware enters devices and systems through email phishing and websites when a user clicks on the malicious link or opens an email attachment.

What does the new ransomware guidance entail? The new guidance reinforces activities required by HIPAA that can help organizations prevent, detect, contain and respond to threats, including:

  • Conducting a risk analysis to identify threats and vulnerabilities to electronic protected health information (ePHI) and establishing a plan to mitigate or remediate those identified risks;
  • Implementing procedures to safeguard against malicious software;
  • Training authorized users on detecting malicious software and report such detections;
  • Limiting access to ePHI to only those persons or software programs requiring access; and 
  • Maintaining an overall contingency plan that includes disaster recovery, emergency operations, frequent data backups, and test restorations.

What can health care entities do to avoid a ransomware attack? 
HIPAA covered entities and business associates are required to develop and implement security incident procedures and response and reporting processes that are reasonable and appropriate to respond to malware and other security incidents. Strong safeguards, as well as privacy and security certification, will help health care entities better understand and reduce risks for cybersecurity attacks.

Read OCR's ransomware guidance here: 

To learn about SECURETexas, the first state program of its kind offering certification for compliance with state and federal privacy and security laws, please visit