home > News and Publications > Publications
Physicians Must Now Report Ransomware Attacks as a Breach – or Face Hefty Fines
Posted on: 11/7/2016

Ransomware is a form of malicious software (also known as “malware”) that encrypts or deletes computer files, blocking the owner’s access to critical data unless a ransom is paid.

Ransomware attacks or "data kidnapping" are some of the biggest threats facing health information security today. In fact, since early 2016, there have been 4,000 ransomware attacks each day – with nearly 50 percent of those related to health care.

As such, physicians need to be aware of a recent change to HIPAA privacy rules concerning ransomware, as directed by the Department of Health and Human Services’ Office of Civil Rights (OCR):

  • When a covered entity or business associate experiences a software breach known as ransomware, the incident is presumed to be a reportable breach (unless proven otherwise).

Previously, no action was required if there wasn’t a breach. Now, failure to appropriately report ransomware as a software breach will result in significant fines.

Learn more with ISMS’ latest Issue Brief, Privacy Protection in the Digital Age: The Threat Posed by Ransomware. This resource explains OCR’s change to HIPAA rules and offers strategies on how medical practices can improve their security to safeguard their electronic protected health information (ePHI).

Cyber Liability by the numbers

View Full Site View Mobile Site