Cybersecurity Archives

Cybersecurity and the HIPAA Rules

Suze Shaffer January 9, 2026January 9, 2026

The Office for Civil Right released their January 2026 OCR Cybersecurity Newsletter. We have condensed this in an effort to educate regulated entities what is necessary under the HIPAA rules. Many organizations try to manage their data security on their own or utilize IT vendors that may not be well versed in data security and the HIPAA rules.

We hope this will help you to understand how cybersecurity and the HIPAA rules intersect. In the end, this is how to protect patient data and your organization. Remember, HIPAA is not optional, and it is more involved than ever before.

System Hardening and Protection of ePHI

System hardening requires installing, enabling, and properly configuring security measures across all systems. Organizations should enable built-in security features within devices, operating systems, and applications. They should also deploy third-party security tools such as anti-malware, EDR, and SIEM solutions when appropriate.

These safeguards support HIPAA Security Rule technical requirements, including access controls, encryption, audit logging, and authentication. Risk analysis and risk management decisions should guide which security measures an organization implements. Organizations may need third-party solutions, such as multi-factor authentication, when native options are unavailable. Establishing standardized security baselines helps ensure consistent protection and reduces risk to ePHI.

Patching Known Vulnerabilities

Applying patches protects electronic protected health information by reducing known security vulnerabilities. Organizations must keep operating systems, applications, and device firmware, including network equipment, up to date. Maintaining an accurate IT asset inventory helps identify systems that require patching.

The HIPAA Security Rule requires organizations to identify and manage risks to ePHI, including unpatched software. Patching is an ongoing process because new vulnerabilities emerge over time. When patches are unavailable, organizations must implement alternative security measures to reduce risk to an appropriate level.

Removing or Disabling Unneeded Software and Services

Many systems include unused or preinstalled software that increases security risk by expanding the system’s attack surface. This software may include games, social media applications, messaging tools, duplicate utilities, or insecure system services. Organizations should regularly review installed software and disable or remove anything not required for business operations. Unneeded software may create default or service accounts with elevated privileges and weak or known passwords. Attackers can exploit these accounts if organizations do not manage them properly.

Organizations must change default credentials, remove unused accounts, and delete accounts created by uninstalled software. Removing unnecessary software strengthens system security, especially when patches are unavailable. Organizations should test and document changes to ensure continued protection of ePHI under the HIPAA Security Rule.

Enabling and Configuring Security Measures

System hardening requires organizations to install, enable, and properly configure appropriate security measures. Organizations should activate built-in security features on devices, operating systems, and software. They should also deploy third-party tools such as anti-malware, EDR, and SIEM solutions when needed.

These security measures support HIPAA Security Rule technical safeguard requirements, including access controls, encryption, audit logging, and authentication. Organizations should base safeguard decisions on their risk analysis and risk management plan. Some systems may require additional controls, such as multi-factor authentication, through third-party solutions. Standardized security baselines help ensure consistent protection and reduce risk to electronic protected health information.

Protect Your Organization Before It’s Too Late

HIPAA compliance isn’t a one-time project — it’s an ongoing process. At Aris Medical Solutions, our HIPAA Keeper™ system simplifies compliance with a cloud-based platform that walks you through each requirement, step by step. From risk analysis to training and documentation, you’ll have everything you need to stay protected, compliant, and audit ready.

Schedule a free HIPAA checkup today at Aris Medical Solutions.

Healthcare Cyber-Attacks on the Rise

Suze Shaffer November 1, 2022July 15, 2025

Healthcare cyber-attacks are on the rise and data breaches can cost a practice a fortune. It is no secret that patient data is valuable on the black market. Cyber criminals will try many different methods to gain access to this data.

The Office for Civil Rights (OCR) stated in their Cybersecurity Newsletter that there has been a 42% increase in cyber-attacks for the first half of 2022 compared to 2021, and a 69% increase in cyber-attacks targeting the health care sector. The number of data breaches occurring in the health care sector also continue to rise. Breaches of unsecured protected health information (PHI), including ePHI, reported to the OCR affecting 500 or more individuals increased from 663 in 2020 to 714 in 2021. Seventy-four percent (74%) of the breaches reported to OCR in 2021 involved hacking/IT incidents. In the health care sector, hacking is now the greatest threat to the privacy and security of PHI. A timely response to a cybersecurity incident is one of the best ways to prevent, mitigate, and recover from cyberattacks.

If you haven’t done so already, we recommend completing the Security Incident Procedures and Breach Notification Plan. You should add those responsible for your Security Response Team. Educate your team on identifying security incidents and how to respond to them. The quicker you can identify a threat, the sooner you can mitigate the issue.

Another area to ensure that you have in place is your inventory list to ensure you can locate which devices may be affected. In your Contingency Plan, there is a list of devices and software applications that you can use to determine which devices/applications that will need to be brought online in which order. Your IT department/vendor will assist with this process.

If it has been determined that a breach of patient data has occurred, this must be reported to the OCR. Remember to follow your state law if it is more stringent.

As with all requirements under HIPAA, you must document your process. If it is not documented, it does not exist. If there are other areas that you have questions, please do not hesitate to contact us!

To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

Cyber Alert: Ransomware Activity Targeting the Healthcare and Public Health Sector

Suze Shaffer October 29, 2020April 8, 2022

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the U.S. Department of Health and Human Services (HHS) have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.

CISA, FBI, and HHS have released AA20-302A Ransomware Activity Targeting the Healthcare and Public Health Sector that details both the threat and practices that healthcare organizations should continuously engage in to help manage the risk posed by ransomware and other cyber threats. The advisory references the joint CISA MS-ISAC Ransomware Guide that provides a ransomware response checklist that can serve as a ransomware-specific addendum to organization cyber incident response plans.

In addition to these materials regarding the most recent ransomware threat to the Healthcare and Public Health Sector, the HHS Office for Civil Rights’ Fact Sheet: Ransomware and HIPAA provides further information for entities regulated by the HIPAA Rules.

CISA, FBI, and HHS are sharing this information in order to provide a warning to healthcare providers to ensure that they take timely and reasonable precautions to protect their networks from these threats. CISA encourages users and administrators to review CISA’s Ransomware webpage for additional information.