Key takeaways

• Ransomware attacks have recently spiked across multiple sectors of the economy, and are more frequently being launched against larger enterprises.
• The U.S. Department of Health and Human Services’ new guidance on ransomware is binding on healthcare entities but valuable for companies of all kinds. The guidance details specific new responsibilities of organizations subject to the data security provisions of federal healthcare law to guard against ransomware attacks and to report ransomware attacks when they occur—in what appears to be a notable shift in the notification requirements arising from ransomware attacks.
• The new guidance requires entities subject to HIPAA to implement policies and procedures aimed at preventing, detecting and responding to the impact of ransomware attacks, including specific steps that such entities should consider undertaking. The guidance also suggests that breach notification obligations may be triggered by the presence of ransomware, which the guidance considers to be a “security incident” for purposes of the Security Rule.