New Ransomware Policy Posted for Premium Members: HIPAA & HITECH Act Blog by Jonathan P. Tomes

Jon Tomes

Ransomware continues to be one of the most serious threats to health information and may be the most serious threat, so you may need a ransomware policy. Almost half of all ransomware attacks in 2018 involved health care organizations. For a terrifying report on the threat of ransomware attacks, see Bojana Dobran, “27 Terrifying Ransomware Statistics and Facts You Need to Read,” phoenixNAP, January 31, 2019, at

Although staff misconduct, such as discussing a patient’s condition with an unauthorized person, posting a comment containing patient data on social media, or even using data in charts to commit identity theft, may be the most common type of violation, such violations are usually more contained than a successful ransomware attack. Such an attack may shut down one’s whole operation or result in a huge ransom payment, bad publicity, and loss of business. It could even be life-threatening because the provider loses access to critical medical information in an emergency.

A ransomware attack could even drive a provider out of business as exemplified by the closure of Wood Ranch Medical in Simi Valley, California. The August 10, 2019, ransomware attack’s file encryption prevented staff from accessing medical records. The attack permanently damaged systems, thus making file recovery impossible. The practice’s backups were also encrypted, and consequently, restoration of patient data was impossible. The damage was so bad that Wood Ranch decided that, because it could not recover, it would cease operations in December.

Wood Ranch is not the only practice to do so. Earlier this year, Brookside ENT and Hearing Center in Battle Creek, Michigan, closed down after a ransomware attack had permanently encrypted its patient records. Its owners decided to close the business and retire rather than rebuild the practice from scratch.

Because of the seriousness of this threat and although nowhere in HIPAA, particularly in its Security Rule, is having a ransomware policy required or even addressable (where, as discussed in my October 11, 2019, blog post, you must “address” a security measure—that is, decide whether it is reasonable and appropriate and, if it is, implement it), you must, in the author’s opinion, consider whether you need such a policy. You might not if you are a sole practitioner with no staff, with but one computer, and too small to be much of a target, but otherwise? One would not think that Brookside ENT and Hearing Center would be a big target, but 90 percent of ransoms are for under $5,000. Could ransomware criminals target smaller entities out of a belief that they are less likely to be prepared to handle such an attack and thus more likely to pay the ransom?

So you may need a ransomware policy. I have developed a new Sample Ransomware Prevention Policy and Response Procedure that is available on the Premium Members section of our Veterans Press website at It’s listed as Ransomware Policy with a little New sign after it.

It is particularly advisable to have your IT staff or vendor or risk analysis team review this policy and determine whether it needs deletions, additions, or modifications for your system(s) in order to be a reasonable and appropriate solution to the risk in your situation.

Alice here: Yes, once again, I am here to try to sell things to keep you and us in business. Surely, after having read Jon’s blog items all these years, and especially today’s blog item, you recognize that you must keep your risk analysis up to date. Make sure that you include malware and ransomware in your initial risk analysis and all updates thereof. If you need help with your risk analysis, either initially or for an update, Jon Tomes has written a Risk Analysis ToolKit to provide the structure and tools to help you complete the requirement under HIPAA. You and your risk analysis team can fill it out and document your decisions as to what is reasonable and appropriate for you to adopt in the way of policies and procedures and be done with it. Or you could send your completed risk analysis to Jon to review and render his professional opinion as the country’s leading HIPAA expert (IMO) as to whether it is sufficient to keep you from getting that free trip to Leavenworth or that very expensive trip to the bank. If you have Jon’s Compliance Guide to HIPAA and the DHHS Regulations, 6th edition, with the accompanying HIPAA Documents Resources Center CD, also 6th edition, you can find the Risk Analysis ToolKit on the CD. It is also available with a review by Jon at Also, Jon Tomes presented a webinar recently on “How to Do a HIPAA and HITECH Risk Analysis.” You can buy a recording of it at Jon is also writing a Risk Analysis Update ToolKit, which will be available for you in the near future on the Premium Member section of our website. Please stay tuned for our announcement when it is up and running for you there. Also, include in your risk analysis the lack of a business associate agreement if you are considering hiring a business associate or a downstream business associate.

If you need guidance on how to draft the policies and procedures that your risk analysis or your newly updated risk analysis has shown are reasonable and appropriate for your organization, Jon has also written The Complete HIPAA Policies and Procedures Guide, with the accompanying CD of several dozen HIPAA policies and procedures templates for you to adapt to your situation. That book also contains a chapter by me on how to write in general, but more specifically on how to write a good policy.

Make sure that you train your entire workforce on HIPAA in general and on the HIPAA policies and procedures according to who needs to know what to perform their duties for you. If you need handy HIPAA training in general, consider Jon’s training video and training manual in either of two forms available here: or Or you could hire Jon to present HIPAA training onsite to your workforce. Just contact him at or 816-527-3858.

Keep your written documentation of all of these HIPAA compliance efforts where you can find them easily and quickly if HHS shows up demanding your HIPAA compliance documentation. We recommend keeping all of it in Jon’s Your Happy HIPAA Book. Jon included tabs in the three-ring binder for everything that you need to document and a checklist for each tab. I recommend adding the date that you check off each item in each checklist, as one of our clients suggested to us.

If you have had a security incident that you were unsure as to what exactly to do about, or if you are concerned that you may have one, consider reading Jon’s book How to Handle HIPAA and HITECH Act Breaches, Complaints, and Investigations: Everything You Need to Know.

A sample business associate agreement policy and a sample business associate agreement are posted in the Premium Member section of our website at

As always, thanks for reading Jon’s blog, buying his books and other HIPAA compliance tools, attending our seminars and webinars, and hiring Jon for HIPAA consulting and training. We wish you every success with your HIPAA compliance efforts.

seo by: k.c. seo