Echoing other agencies in recent weeks, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) issued an alert sharing resources to address and protect institutions against the recent influx of ransomware attacks.  Resources included a White House Memo urging companies to strengthen their commitment to cybersecurity.

Similar to other recommendations we have recently written about (for example those from NYDFS), OCR recommends that the private sector:

  1. Implement the five best practices from the President’s May 2021 Executive Order on Cybersecurity: (a) multifactor authentication, (b) early detection of cybersecurity vulnerabilities, (c) robust response to cybersecurity incidents, (d) encryption, and (e) dedicated security teams;
  2. Back up all information and data, regularly test backups, and keep the backups offline and not connected to core business systems;
  3. Update and patch operating systems, applications, firmware and other systems promptly;
  4. Test and optimize incident response plans;
  5. Run third-party checks to ensure system security; and,
  6. Segment networks to minimize damage in the event of a system compromise.

Putting it Into PracticeThough these guidelines have no binding effect, they provide timely insight into OCR’s expectations for HIPAA covered entities and business associates to protect against cyberattacks.  Failure to implement the above guidance may leave companies at risk not only to ransomware attacks but also greater scrutiny from the government in the event of a data breach.