HHS Advisory

HIPAA Ransomware Guidance Updated

HHS-HIPAA-2024 • Published February 14, 2024

Severity: high

When ransomware hits a hospital or doctor office, it is usually considered a data breach under healthcare privacy law. The organization has to tell patients and the government, and could face fines if they were not following the security rules.

Overview

Updated HHS guidance on HIPAA compliance in the context of ransomware attacks. Clarifies that ransomware incidents affecting ePHI are presumed breaches requiring notification unless encryption requirements are met.

Who Is At Risk

  • Healthcare providers
  • Health plans
  • Healthcare clearinghouses
  • Business associates
  • Medical technology vendors

Is your business exposed?

Immediate Actions

  1. 1.

    Verify ePHI encryption at rest

  2. 2.

    Update risk assessment for ransomware

  3. 3.

    Review business associate agreements

  4. 4.

    Test backup and recovery procedures

  5. 5.

    Document incident response for HIPAA

Official Source

https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity-ransomware/index.html

Is your business exposed?

Check if your company data is circulating on the dark web

Free scan • No credit card required

Privacy PolicyYour Privacy Choices