breach risk assessment

In healthcare today, the question isn’t if a cyberattack will happen, but when. Among these, ransomware is especially disruptive and calls for a thorough breach risk assessment to decide the next steps. For HIPAA compliance professionals, lawyers, and practice owners, a ransomware incident isn’t just an IT issue – it’s a significant legal and regulatory concern.

When a hacker encrypts data and demands payment for the decryption key, it triggers a ‘presumption of breach’ under the HIPAA Breach Notification Rule. Handling ransomware incidents requires IT expertise, a systematic investigation, sound judgment, and proper legal documentation.

Managing a breach and reducing its damage starts well before it happens, with a plan, procedures, a team, and training.

The Presumption of Breach: Why Ransomware is Different

Ransomware is malicious software inserted by a criminal that locks your electronic systems followed by a demand to pay money to receive a decryption key. The malicious software is sophisticated but the most common way it enters the system is by a low-tech phishing email.

A common misconception in healthcare is that if data is “only” encrypted—and not necessarily stolen or “exfiltrated”—it doesn’t constitute a HIPAA breach. However, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has a different perspective.

According to HHS guidance, when ransomware encrypts Protected Health Information (PHI) an unlawful “acquisition” has occurred. Under HIPAA, “acquisition” means a disclosure of PHI not permitted by the HIPAA Privacy Rule, which is a breach as defined by the HIPAA Breach Notification Rule.

Unless the covered entity or business associate can demonstrate a “low probability that the PHI has been compromised” based on a breach risk assessment consisting of several specific factors, the incident is legally presumed to be a reportable breach.

This shift in perspective is crucial. You don’t begin your investigation by questioning whether you should report; you assume you should and then search for evidence that might contradict that assumption.

Stage 1: Prepare in Advance

Preparation is the most effective way to lower breach-related costs and risks. A disorganized response can lead to missed deadlines, incomplete investigations, and higher fines. Successful preparation relies on having a contingency plan, clear policies, proper training, and strong teamwork.

Each of these steps is necessary under HIPAA. Following them is the best way to minimize the risk of a breach and improve your response if one happens.

Contingency Plan

HIPAA compliance requires a contingency plan (45 CFR § 164.308(a)(7)). A contingency plan is developed to protect the confidentiality, integrity, and availability of data during unexpected adverse events, regardless of the cause, such as fire, system failure, natural disaster, or cyberattack.

HHS recognizes that the specific contents of any contingency plan depend on the nature and structure of the entity that creates it. There is no “one-size-fits-all.”

Once it’s created, the plan shouldn’t be just a document that collects dust on a shelf. It needs to be a practical roadmap that clearly defines who does what when a suspicious screen appears. It should also include a data backup plan, disaster recovery procedures, and an emergency mode operation plan.

Procedures

Different threats to PHI require specific responses. A ransomware incident triggers particular procedures to contain, mitigate, and investigate the event. The investigation helps the team determine whether to report the incident to affected individuals and the government.

The Multi-Disciplinary Team

Managing a breach is not solely the responsibility of the IT director. A successful response team generally includes:

  • Executive Leadership: To make high-level financial and operational decisions.
  • IT/Cybersecurity: To contain the threat and preserve forensic evidence.
  • Legal Counsel: To manage liability and ensure the investigation meets regulatory standards.
  • Compliance Officer: To oversee the risk assessment and notification timelines.

Staff Training

Technology can only do so much; your staff is the first line of defense. Training must go beyond annual exercises—employees should be able to avoid phishing emails, recognize security incidents, and report them immediately. Every minute of reporting delay can compromise thousands of records.

Stage 2: The Investigation and the Four-Factor Assessment

Once an incident is identified, the clock starts ticking. HIPAA requires notification without unreasonable delay, and in any case, no later than 60 days after the discovery of a breach. To determine whether the “presumption of breach” can be overcome, organizations must conduct a thorough, objective breach risk assessment.

The Breach Notification Rule (45 C.F.R. § 164.402(2)) requires a breach risk assessment that considers at least these four factors:

The Nature and Extent of the PHI Involved

What type of data was involved? There is a difference between a list of patient names and a database with Social Security numbers, financial information, and detailed clinical notes. If the data is very sensitive, the “probability of compromise” is much higher.

The Unauthorized Person Who Used the PHI

Who was the attacker? In ransomware incidents, the “unauthorized person” is typically a malicious actor or a criminal organization. This factor almost always favors a breach, since the hacker’s motives are inherently untrustworthy.

Whether the PHI Was Actually Acquired or Viewed

This is where forensic evidence—digital records and analysis used to investigate security events—becomes essential. Did the ransomware simply encrypt the drive, or do logs show that data was exfiltrated (unauthorized transfer of data out of your systems)? If the PHI was encrypted but not accessed or moved, expert forensic analysis can demonstrate a low likelihood of compromise.

The Extent to Which the Risk to the PHI Has Been Mitigated

How quickly was the threat neutralized? If the organization was able to remotely wipe (erase data from) a lost device or immediately cut a network connection before the encryption finished, the risk might be considered lower. In ransomware cases, however, “mitigation” often refers to whether the data can be recovered from backups without engaging the attacker.

The HIPAA E-Tool® simplifies the breach risk assessment with a questionnaire to organize the process. The questionnaire creates a decision tree to evaluate whether there was a low probability of compromise. See the Guide to Breach Risk Assessment from The HIPAA E-Tool®

Stage 3: The Notification Process

If the four-factor assessment does not show a low probability of compromise, you must proceed with notifications. The requirements differ depending on the extent of the breach.

Individual Notifications

Every individual whose information was encrypted must be notified within 60 days of the attack’s discovery. The notice should include a description of what occurred, the types of PHI involved, steps individuals should take to protect themselves, and what the covered entity is doing to investigate and reduce the harm.

The Media

If a breach affects more than 500 residents of a state or jurisdiction, the covered entity must notify prominent media outlets serving that area. This is often the most challenging part of the process for a provider’s reputation, making it all the more important to have a clear, professional communication plan prepared in advance.

Guidance for Notification

The HIPAA E-Tool® simplifies the notification process for individuals and the media. See the Guide to Breach Notification Templates from The HIPAA E-Tool®

Secretary of HHS

All breaches must be reported to the Secretary of HHS.

  • For breaches affecting fewer than 500 individuals, you can keep a log and report them once a year, no later than 60 days after the end of the calendar year.
  • For breaches affecting 500 or more individuals: You must notify the Secretary at the same time you notify the affected individuals—”without unreasonable delay” and within 60 days.

Use the OCR Breach Reporting Portal to report to HHS.

The Critical Role of Documentation

If it isn’t documented, from a regulatory point of view, it didn’t happen. Throughout the entire investigation—even if you conclude that no breach occurred—you must keep a detailed record of:

  • The forensic evidence gathered by IT.
  • The logic and conclusions of your four-factor risk assessment.
  • The steps taken to mitigate the incident.
  • Copies of all notification letters sent.

This documentation is your primary defense during OCR audits or complaints. A well-documented investigation demonstrates that your organization takes its responsibility to protect PHI seriously and acts in good faith.

Conclusion: A Methodical Path Forward

Ransomware is a complex threat, but it is manageable. Healthcare providers can significantly reduce their risk by adopting a proactive approach instead of a reactive one.

The key to success is simple but requires discipline: Prepare your team and policies in advance, treat every ransomware incident as a breach, conduct a comprehensive four-factor investigation, and document each step. Following this structured approach not only keeps you compliant with the law but also protects your patients, your reputation, and the future of your practice.

The HIPAA E-Tool® can help you prepare for and respond to a ransomware breach with everything you need for a methodical, compliant process.

Free HIPAA Checklist
What best describes you?