New guidance on ransomware reinforces the importance of compliance with the Health Insurance Portability and Accountability Act (HIPAA) to prevent and recover from cyber threats.

Ransomware is a cybersecurity threat in which an attacker gains access to a network, encrypts its data, and holds the network hostage for payment.

The guidance, released by the U.S. Department of Health and Human Services’ (HHS’) Office of Civil Rights (OCR), outlines HIPAA-required security measures that might protect systems, including

  • conducting a risk analysis to identify threats;
  • training personnel to detect and report malicious software; and
  • maintaining a contingency plan.

The OCR guidance follows recent technical guidance from HHS and the U.S. departments of Homeland Security and Justice that contained hospital best practices to prevent and mitigate the damage of ransomware.

Contact Director of Policy Erin O’Malley at or 202.585.0127 with questions.