One of the fastest growing areas of cybercrime is ransomware. Ransomware is a type of malicious software that encrypts data and makes it inaccessible to authorized users. The hackers who orchestrate ransomware attacks demand that authorized users pay a ransom in order to obtain the key to decrypt their data. Payment is generally required to be paid in bitcoin (or other forms of cryptocurrency) in order to maintain anonymity.

In an effort to combat the proliferation of ransomware attacks, the Office for Civil Rights (“OCR”) has released guidance on ransomware attack prevention and recovery from a healthcare entity’s perspective. OCR’s guidance includes a discussion on the role of the Health Insurance Portability and Accountability Act (“HIPAA”) in assisting covered entities and business associates to prevent ransomware attacks, recover from ransomware attacks, and how HIPAA breach notification should be handled in response to ransomware attacks. Portions of OCR’s guidance, along with commentary, are summarized below. Continue Reading