Skip to Main Content
Don't have an account? Create Account
Don't have an account? Create Account

HHS Releases HIPAA Guidance on Ransomware

New guidance on ransomware reinforces the importance of compliance with the Health Insurance Portability and Accountability Act (HIPAA) to prevent and recover from cyber threats.

Ransomware is a cybersecurity threat in which an attacker gains access to a network, encrypts its data, and holds the network hostage for payment.

The guidance, released by the U.S. Department of Health and Human Services’ (HHS’) Office of Civil Rights (OCR), outlines HIPAA-required security measures that might protect systems, including

  • conducting a risk analysis to identify threats;
  • training personnel to detect and report malicious software; and
  • maintaining a contingency plan.

The OCR guidance follows recent technical guidance from HHS and the U.S. departments of Homeland Security and Justice that contained hospital best practices to prevent and mitigate the damage of ransomware.

Contact Director of Policy Erin O’Malley at or 202.585.0127 with questions.


About the Author

Rachel Schwartz is a former policy associate at America's Essential Hospitals.

Previous Next
Test Caption
Test Description goes like this