HHS OCR Shares Cybersecurity Actions to Prevent Ransomware

Recently, the size and number of ransomware attacks that have adversely impacted various industries and organizations, from information technology firms and gasoline pipelines to meat processors and local, state and federal government agencies, have been on the rise. Cyberattacks on health care facilities, resulting in inability to access electronic medical records and threats to patient care, have also occurred.

In light of the increasing threat posed by cyberattacks, the federal government has prioritized focusing on promoting cybersecurity practices. The Department of Health and Human Services, Office of Civil Rights (“OCR”), the agency responsible for enforcement of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), released on June 9 a Cyber Alert via its Privacy and Security Rule listservs, entitled “Updates on Ransomware and Critical VMWare Vulnerability.” The Cyber Alert shared a White House memo issued on June 2 by Anne Neuberger, the Deputy Assistant to the President and Deputy National Security Advisor for Cyber and Emerging Technology, to urge government entities and the private sector to take action to prevent cyberattacks. The White House memo further outlined five recommended best practices to reduce risk, as first set forth in the May 2021 “Executive Order on Improving the Nation’s Cybersecurity.” These recommendations include:

  • Backing up data, system images, and configurations, regularly testing them and keeping backups offline
  • Updating and patching systems properly
  • Testing incident response plans
  • Checking the work of security teams
  • Segmenting networks

Although these best practices were directed to government agencies, these standards can also be viewed as reasonable baseline activities for cybersecurity practices in any organization.

In addition, the OCR listed in its Cyber Alert numerous helpful resources available to health care facilities to help protect against ransomware attacks. Health care facilities and providers that are “covered entities” under HIPAA have been required to comply with the HIPAA Security rules, including requirements to conduct a Security Rule risk analysis and implement administrative, physical and technical safeguards, since 2005. Nevertheless, as enforcement settlements announced by the OCR have illustrated, many facilities and providers still lag in adopting and implementing even basic security measures, putting not only patient data, but the entities’ business operations, at risk. As the White House memo noted, “[a]ll organizations must recognize that no company is safe from being targeted by ransomware, regardless of size or location.”

Health care organizations and providers of all sizes should review the Cyber Alert, the Executive Order, and cybersecurity guidance materials to assess vulnerabilities and implement and prioritize updates to cybersecurity measures.