The Department of Health and Human Services (HHS) has released five updates on its website in the wake of international ransomware attacks, which affected organizations around the world, including health care organizations in the United Kingdom.
The U.S. Computer Emergency Readiness Team (US-CERT) defines ransomware as a type of malware that infects computers and restricts access to files until a ransom is paid.
The HHS updates include guidance on how victims can report ransomware and share indicators of malicious activity. They also provide information on how Health Insurance Portability and Accountability Act (HIPAA) compliance can help health care organizations prevent and recover from a ransomware attack.
In the case of a ransomware attack, the HHS Office of Civil Rights presumes a breach. The affected organization must determine whether the breach is reportable, as required by the HIPAA Breach Notification Rule, no later than 60 days after discovering the incident. More information about whether a breach is reportable is available on HHS’ ransomware fact sheet.
HHS urges victims of ransomware to contact their FBI Field Office Cyber Task Force for assistance and to report the incident to the US-CERT and the FBI’s Internet Crime Complaint Center. HHS also requests that victims share indicators with HHS’ Healthcare Cybersecurity and Communications Integration Center at HCCIC_RM@hhs.gov.
Contact Director of Policy Erin O’Malley at firstname.lastname@example.org or 202.585.0127 with questions.