OCR Urges Private Sector To Beef Up Ransomware Protections

SM
Sheppard Mullin Richter & Hampton

Contributor

Sheppard Mullin is a full service Global 100 firm with over 1,000 attorneys in 16 offices located in the United States, Europe and Asia. Since 1927, companies have turned to Sheppard Mullin to handle corporate and technology matters, high stakes litigation and complex financial transactions. In the US, the firm’s clients include more than half of the Fortune 100.
Echoing other agencies in recent weeks, the U.S. Department of Health and Human Services' Office for Civil Rights (OCR) issued an alert sharing resources to address and protect institutions...
United States Technology

Echoing other agencies in recent weeks, the U.S. Department of Health and Human Services' Office for Civil Rights (OCR) issued an alert sharing resources to address and protect institutions against the recent influx of ransomware attacks.  Resources included a White House Memo urging companies to strengthen their commitment to cybersecurity.

Similar to other recommendations we have recently written about (for example those from NYDFS), OCR recommends that the private sector:

  1. Implement the five best practices from the President's May 2021 Executive Order on Cybersecurity: (a) multifactor authentication, (b) early detection of cybersecurity vulnerabilities, (c) robust response to cybersecurity incidents, (d) encryption, and (e) dedicated security teams;
  2. Back up all information and data, regularly test backups, and keep the backups offline and not connected to core business systems;
  3. Update and patch operating systems, applications, firmware and other systems promptly;
  4. Test and optimize incident response plans;
  5. Run third-party checks to ensure system security; and,
  6. Segment networks to minimize damage in the event of a system compromise.

Putting it Into Practice:  Though these guidelines have no binding effect, they provide timely insight into OCR's expectations for HIPAA covered entities and business associates to protect against cyberattacks.  Failure to implement the above guidance may leave companies at risk not only to ransomware attacks but also greater scrutiny from the government in the event of a data breach.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More