In the spirit of National Cybersecurity Awareness Month, the Office of Civil Rights (“OCR”) released a new video on October 17, 2024, to promote awareness on ransomware trends in the healthcare industry and how HIPAA subject entities can combat ransomware. OCR’s video covers breach and ransomware trend analysis, reviews OCR’s ransomware guidance and materials, analyzes ransomware attack chains, and discusses how compliance with the HIPAA Security Rule can combat ransomware.
Cyberattacks, including ransomware, continue to be the greatest security threat facing the healthcare industry and the protected health information it holds. There has been a 264% increase in large breaches involving ransomware attacks reported to OCR since 2018.1 Since OCR settled its first ransomware case on October 31, 2023, there have been four OCR settlements related to ransomware attacks, two of which have occurred within the last 30 days.2 The settlements coupled with the timing of OCR’s video underscores the importance of complying with the HIPAA Security Rule to provide a baseline defense against ransomware attacks and avoid monetary penalties.
You can access OCR’s video here: Ransomware and the HIPAA Security Rule.
1 HHS Office for Civil Rights Imposes as $240,000 Civil Monetary Penalty Against Providence Medical Institute in HIPAA Ransomware Cybersecurity Investigation, OCR (Oct. 3, 2024), https://www.hhs.gov/about/news/2024/10/03/hhs-ocr-imposes-civil-monetary-penalty-against-providence-medical-institute-hipaa-ransomware-cybersecurity-investigation.html.
2 HHS Office for Civil Rights Settles Ransomware Cybersecurity Investigation Under HIPAA Security Rule for $250,000, OCR (Sept. 26, 2024), https://www.hhs.gov/about/news/2024/09/26/hhs-office-civil-rights-settles-ransomware-cybersecurity-investigation-under-hipaa-security-rule-250-000.html; HHS Office for Civil Rights Imposes as $240,000 Civil Monetary Penalty Against Providence Medical Institute in HIPAA Ransomware Cybersecurity Investigation, OCR (Oct. 3, 2024), https://www.hhs.gov/about/news/2024/10/03/hhs-ocr-imposes-civil-monetary-penalty-against-providence-medical-institute-hipaa-ransomware-cybersecurity-investigation.html.
This publication is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal or financial advice nor do they necessarily reflect the views of Holland & Hart LLP or any of its attorneys other than the author(s). This publication is not intended to create an attorney-client relationship between you and Holland & Hart LLP. Substantive changes in the law subsequent to the date of this publication might affect the analysis or commentary. Similarly, the analysis may differ depending on the jurisdiction or circumstances. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.