The Doctor’s Advocate | Third Quarter 2016

Ransomware Attacks: HIPAA Burden Falls to the Hospital or Medical Practice

Craig Musgrave, Senior Vice President, Information Technology

The bar has been raised on HIPAA and ransomware attacks.

Under its recently released guidance, the Department of Health and Human Services (HHS) now presumes that a ransomware attack compromises electronic protected health information (ePHI)—unless the HIPAA-covered entity can prove otherwise.1

Prior to this new guideline, if you determined on your own that there was no breach, no action was needed on your part. HHS would have to prove that the ransomware attack had compromised ePHI.

But now that burden of proof has changed—it’s now your responsibility to prove that data was not compromised, including patient records, credit card data, and employee records. If you have a breach, or can’t prove that you did not, you must complete the HIPAA notification procedures and may face fines. You may also be fined if it’s shown that your practice was not HIPAA compliant before the attack.

Large healthcare systems and hospitals with sophisticated technology systems may have an easier time meeting this burden of proof. Firewalls can track the traffic of the cyber criminals and record what data they had access to, how long they spent in the system, and what data they extracted. Small practices without sophisticated systems or firewalls may have to hire a forensic computer firm in order to prove that a breach of their systems did not occur.

Ransomware remains a major threat for practices and hospitals—not only do over 50 percent of all cyber attacks occur in healthcare, but there have also been 4,000 daily ransomware attacks since early 2016, which is a 300 percent increase over the 1,000 daily attacks in 2015.2 Ransomware attacks exploit technical and human weakness to gain access to a healthcare organization’s system and deny the organization access to its own data.

What You Should Do To Prevent an Attack

Encryption used to be the standard method to prevent breaches and protect your practice, but that has also now changed. Encryption does not stop ransomware attacks—if a cyber criminal gets access to your system, encryption will not stop the attack. In addition, encryption is no longer sufficient to prove that a breach has not occurred during a ransomware attack. While encryption of all laptops, desktop computers, and mobile devices remains important to overall security, practices and hospitals also now need to take additional steps:

  • Small practices should migrate their systems—both software applications and data—to the cloud. Cloud vendors have implemented security measures that most smaller practices won’t be able to implement and maintain. Be sure to fully vet your cloud storage vendor:
    • Are the vendor’s security standards appropriate? You have to research each vendor you choose. Make sure the company has a good reputation and solid security policies. You are entrusting the provider to store your information, so the extra time spent researching and comparing providers and their security practices will pay off in the long run.
    • How much data will you be storing? Many companies charge by the amount of storage you use, so understand what your needs are before choosing a vendor. Ensure the vendor can handle the amount of data you would like to move to the cloud.
    • Ensure your data is encrypted when being uploaded to or downloaded from the cloud. This is also your responsibility. Make sure your browser or app requires an encrypted connection before you upload or download your data. Also ensure all devices that contain ePHI (laptops, desktops, thumb drives, and centralized storage devices) are encrypted.
    • Make sure your data is encrypted when stored in the cloud. This is perhaps the most important consideration. Data protected by law, such as medical information or personal identifiers, should never be stored in the cloud unless the storage solution is encrypted. Only selected members of your organization should be able to decrypt the data, and your organization should create policies detailing under what circumstances information can be decrypted. Determining whether the stored data will be encrypted requires a careful review of the specific terms of service within your agreement with the cloud service provider. Many cloud service providers store data on a cloud server with no encryption, meaning anyone who has (or can get) high-level access to that server will be able to read your files.
    • Understand how access is shared in your cloud folder. Many cloud storage providers allow you to share access to your online folders. Be familiar with the details on how that sharing works. Can the user read-only or can the user edit the file? Will you know who the last person to edit a file was? Awareness of who has access and how is critical to monitoring activity within your stored data.
    • Understand your options if the cloud provider is hacked or your data is lost. Virtually all cloud service providers require a user to sign an agreement that contains a terms of service provision. In most cases, these agreements provide that the user has very little, if any, remedy if a hack or a loss of data occurs. Pay attention to what rights you have given up and make sure you are comfortable with doing so.
  • If you cannot store data in the cloud, consider working with a computer forensic firm to strengthen your security and investigating capabilities.
  • Provide security awareness for all employees. Over 80 percent of attacks are made possible by human error or human involvement. Train staff members to avoid downloading, clicking on links, or running unknown USB on computer systems.
  • Block the malware at the firewall by using intelligent firewalls to stop the malware from downloading.
  • Install intrusion detection software to monitor illegal activities on computer networks.
  • Stop the malware from executing on desktop computers by installing application whitelisting software, anti-virus, or anti-malware.
  • Perform regular system backups.
  • Ensure that critical systems and business data are backed up—even backed up hourly for critical systems.
  • Test that the backup restore process works.
  • Perform penetration testing on a regular basis to determine any existing vulnerabilities that should be patched.


  1. Your money or your PHI: New guidance on ransomware. U.S. Department of Health and Human Services. Accessed July 21, 2016.
  2. Fact sheet: ransomware and HIPAA. U.S. Department of Health and Human Services. Accessed July 21, 2016.

The Doctor’s Advocate is published by The Doctors Company to advise and inform its members about loss prevention and insurance issues.

The guidelines suggested in this newsletter are not rules, do not constitute legal advice, and do not ensure a successful outcome. They attempt to define principles of practice for providing appropriate care. The principles are not inclusive of all proper methods of care nor exclusive of other methods reasonably directed at obtaining the same results.

The ultimate decision regarding the appropriateness of any treatment must be made by each healthcare provider considering the circumstances of the individual situation and in accordance with the laws of the jurisdiction in which the care is rendered.

The Doctor’s Advocate is published quarterly by Corporate Communications, The Doctors Company. Letters and articles, to be edited and published at the editor’s discretion, are welcome. The views expressed are those of the letter writer and do not necessarily reflect the opinion or official policy of The Doctors Company. Please sign your letters, and address them to the editor.

Choosing a malpractice insurer?
Here’s what to ask.

Selecting a medical malpractice insurer is one of the most important decisions you’ll make. This guide outlines what to look for in an insurance company.