Ransomware and HIPAA risks are now inseparable. After a lot of deliberation, ransomware has now become part of HIPAA compliance for Business Associates and Covered Entities that have to show HIPAA compliance. This became official on July 11, 2016, when the HHS issued a new guideline that makes ransomware attacks part of reportable HIPAA breaches.
Although players in the healthcare industry were strident in their thinking that ransomware and HIPAA risks should be kept separate; what precipitated this decision was the finding by the US interagency report, which suggested that in just one year from the middle of 2015, there has been a fourfold increase in the number of ransomware attacks, bringing the number of these attacks on Protected Health Information (PHI) to an alarming 4000 a day.
Ransomware and HIPAA risks have come together primarily for this reason, with the HIPAA’s new guideline seeking to suggest steps that need to be taken by Business Associates and Covered Entities to identify a ransomware attack and report it, thereby preventing the potential loss it causes to PHI.
First, a brief understanding of ransomware
Ransomware can be defined in simple terms as malicious software that is different from other kinds of malware. It differs fundamentally by attempting to deny access to a user’s data at the source. Ransomware hackers encrypt the data with a key that is known only to them, and release it only after a ransom is paid to them by the user. Ransomware and HIPAA risks have come together after the realization by the HHS about the dangers of this kind of malware.
Business Associates and Covered Entities are in for a jolt when HIPAA investigations relating to ransomware breaches find malpractices. It can ruin the said practice or business. If ransomware is detected, HIPAA considers it a serious breach of security. Such an entity is heavily penalized, and its reputation is at stake.
How are ransomware and HIPAA risks associated with each other?
The HHS, which is responsible for HIPAA implementation, has issued the new guidelines about ransomware and HIPAA risks.
These include:
- Taking measures to implement a security management process, of which carrying out a risk analysis that helps identify vulnerabilities and threats to the PHI and implementing steps to mitigate these are a part;
- Putting in place measures that detect and guard against malicious software;
- Helping to protect data by training users on malicious software about identifying and reporting these, and
- Putting in place access controls by which only designated personnel are authorized and permitted access.
These measures on ransomware and HIPAA risks sit along with the existing Security Rule of the HIPAA, which has its own set of steps and rules that need to be taken to protect data privacy.
How do steps for checking ransomware and HIPAA risks need to be implemented?
The important steps needed for checking ransomware and HIPAA risks are suggested above, but one needs professional help in order to implement the right steps for identifying and containing ransomware and HIPAA risks.
The exact ways of doing this will be the content of a webinar that MentorHealth, a leading provider of professional trainings for all the areas of regulatory compliance, is organizing.
Brian L Tuttle, who is a Certified Professional in Health IT (CPHIT), Certified HIPAA Professional (CHP) and Certified Business Resilience Auditor (CBRA) with over 15 years’ experience in Health IT and Compliance Consulting, will be the speaker at this webinar. To understand how to prevent your practice from being hauled up by HIPAA or being sued for class action in the case of a large breach; register for this webinar by visiting
The proven and established means of protecting businesses and practices from ransomware attacks and breaches and from HIPAA actions will be discussed threadbare at this webinar.
An understanding of the risk factors
During the course of this webinar, Brian will also explain what the highest risk factors for being sued for wrongful disclosures of PHI are, and the manner in which patients are now using state laws to sue for wrongful disclosures. He will also delve into specific information about multiple incidents, which will help practices and businesses understand what they did wrong that led to a HIPAA risk of ransomware.
Apart from offering an explanation of the variables that need to be considered; Brian will also discuss specific questions the Office of Civil Rights investigators and FBI are likely ask and the ways of giving them the best answer. This very valuable session on ransomware and HIPAA risks will educate participants on the ways of preventing a breach altogether.
Brian will cover the following areas at this webinar:
- What is ransomware?
- What are risk factors?
- What to do if hijacked
- Audit Process
- What can cause an audit
- How to avoid these issues altogether
- What to do in the event of an audit
- How to speak and deal with Federal auditors
- Risk Assessment
- Best resources
MentorHealth 
Have you checked out the ONC tool for HIPAA risk assessments? Or Medcurity? The federal tool is a starting point, but was good to switch to Medcurity. It supports multiple users is very comprehensive. And they have a lot of customizable policies.