The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has been highlighting the threat posed by “ransomware”—when an organization is locked out of its own systems and files by cyber criminals who then demand the organization pay a ransom to regain access.  OCR launched its Cyber-Awareness initiative on Feb. 2 by emailing entities in the health care community an alert about the dangers that ransomware presents to their operations. Within two weeks of the OCR alert, the world learned how real this problem is when a hospital made national headlines as the victim of a ransomware attack.

According to OCR and the FBI, ransomware has become a popular tool in the cybercrime world to extort money from companies by locking them out of their own computer resources.  Losing access to important files for even a short period of time can have crippling consequences for any entity victimized by a ransomware attack and may endanger patients and plan participants.  Because of the dire potential impact, many ransomware victims face the difficult dilemma of whether to pay the cyber criminals to get operations back online and provide necessary services to their patients and members.  Consequently, covered entities and business associates should work with knowledgeable experts to identify how a successful attack might affect their operations and implement measures to mitigate the ransomware risk.

Please read our full advisory here.