OCR Provides Guidance to the Healthcare Industry to Combat Ransomware Attacks
In the spirit of National Cybersecurity Awareness Month, the Office of Civil Rights (“OCR”) released a new video on October 17, 2024, to promote awareness on ransomware trends in the healthcare industry and how HIPAA subject entities can combat ransomware. OCR’s video covers breach and ransomware trend analysis, reviews OCR’s ransomware guidance and materials, analyzes ransomware attack chains, and discusses how compliance with the HIPAA Security Rule can combat ransomware.
Cyberattacks, including ransomware, continue to be the greatest security threat facing the healthcare industry and the protected health information it holds. There has been a 264% increase in large breaches involving ransomware attacks reported to OCR since 2018.1 Since OCR settled its first ransomware case on October 31, 2023, there have been four OCR settlements related to ransomware attacks, two of which have occurred within the last 30 days.2 The settlements coupled with the timing of OCR’s video underscores the importance of complying with the HIPAA Security Rule to provide a baseline defense against ransomware attacks and avoid monetary penalties.
You can access OCR’s video here: Ransomware and the HIPAA Security Rule.
1 HHS Office for Civil Rights Imposes as $240,000 Civil Monetary Penalty Against Providence Medical Institute in HIPAA Ransomware Cybersecurity Investigation, OCR (Oct. 3, 2024), https://www.hhs.gov/about/news/2024/10/03/hhs-ocr-imposes-civil-monetary-penalty-against-providence-medical-institute-hipaa-ransomware-cybersecurity-investigation.html.
2 HHS Office for Civil Rights Settles Ransomware Cybersecurity Investigation Under HIPAA Security Rule for $250,000, OCR (Sept. 26, 2024), https://www.hhs.gov/about/news/2024/09/26/hhs-office-civil-rights-settles-ransomware-cybersecurity-investigation-under-hipaa-security-rule-250-000.html; HHS Office for Civil Rights Imposes as $240,000 Civil Monetary Penalty Against Providence Medical Institute in HIPAA Ransomware Cybersecurity Investigation, OCR (Oct. 3, 2024), https://www.hhs.gov/about/news/2024/10/03/hhs-ocr-imposes-civil-monetary-penalty-against-providence-medical-institute-hipaa-ransomware-cybersecurity-investigation.html.