Cybersecurity Archives

Good Faith Compliance is No Longer Enough

Suze Shaffer April 7, 2026April 7, 2026

HIPAA now has stricter and more explicit requirements. Especially as enforcement expectations tighten. This is changing how medical practices and business associates operate day to day. The big shift is that “good faith” compliance is no longer enough. Regulators now expect documented and continuously maintained compliance.

Compliance Must Be Documented, Not Assumed

Organizations can no longer rely on informal policies, verbal training, or “we’ve always done it this way.”

Written risk analyses, risk management plans, and policies have always been required. But now, regulators are closely reviewing for updates. Documents must be current, not created once and forgotten.

If it’s not documented, Office for Civil Rights treats it as if it doesn’t exist.

Impact: More time spent maintaining documentation, but far less exposure during an audit or complaint.

Risk Analysis Is the Foundation of Everything

The Office for Civil Rights (OCR) has made it crystal clear that risk analysis drives compliance decisions. Security controls must align with identified risks. Then a documented risk management plan that outlines the mitigation process must be created. “Addressable” safeguards must be justified if not implemented, this was never meant to be optional! Generic or copied risk analyses are being rejected.

Impact: Organizations must understand their systems, vendors, workflows, and vulnerabilities – not someone else’s.

Cybersecurity Expectations Are Higher

HIPAA now expects organizations to adopt modern security practices, not outdated basics.

Multi-factor authentication (MFA)
Encryption of data at rest and in transit
Regular patching and system hardening
Monitoring for suspicious activity

Failing to implement common-sense safeguards is increasingly viewed as willful neglect.

Impact: Greater reliance on IT partners, but also more oversight and accountability.

Vendors and Business Associates Are Under a Microscope

Practices are responsible for who they share PHI with. Business Associate Agreements (BAAs) must be current. Business associates must have current subcontractor agreements in place as well. Vendors must demonstrate their own security practices and comply with the HIPAA rules. “We trusted our vendor” is no longer a defense. Covered entities are responsible for ensuring their vendors are compliant.

Impact: More vendor vetting, more paperwork, fewer risky shortcuts.

Training Must Be Ongoing

Annual, generic HIPAA training doesn’t cut it anymore. Training must address phishing, ransomware, and real-world threats. Training must be tracked and documented.

Impact: Better-informed staff equals fewer costly human-error breaches.

Faster Response and Accountability After Incidents

HIPAA enforcement now scrutinizes how quickly and effectively a practice responds to incidents. Incident response plans must exist before an event occurs. Delays or confusion during a breach increases penalties. Internal security incident investigations must be documented.

Impact: Organizations need clear procedures, not panic, when something goes wrong.

Small Practices Are No Longer “Too Small to Enforce”

Enforcement actions increasingly involve:

Small and solo practices
Dental offices
Specialty clinics
Business associates

Complaints, not breaches often trigger investigations.

Impact: Every organization is expected to meet the same baseline standards, regardless of size.

Summary

HIPAA’s stricter requirements mean organizations must shift from reactive compliance to ongoing risk management.

Aris Medical Solutions helps medical practices and business associates understand HIPAA expectations and reduce risk- step by step.

Our HIPAA Keeper™ was designed to help organizations:

Understand where they stand
Organize required documentation
Maintain compliance over time
Be prepared if questions ever arise

Additionally, you will have a HIPAA security analyst to guide and assist you when you need help.

To find out where you stand with your compliance, schedule a free HIPAA checkup today at Aris Medical Solutions.

Cybersecurity and the HIPAA Rules

Suze Shaffer January 9, 2026January 9, 2026

The Office for Civil Right released their January 2026 OCR Cybersecurity Newsletter. We have condensed this in an effort to educate regulated entities what is necessary under the HIPAA rules. Many organizations try to manage their data security on their own or utilize IT vendors that may not be well versed in data security and the HIPAA rules.

We hope this will help you to understand how cybersecurity and the HIPAA rules intersect. In the end, this is how to protect patient data and your organization. Remember, HIPAA is not optional, and it is more involved than ever before.

System Hardening and Protection of ePHI

System hardening requires installing, enabling, and properly configuring security measures across all systems. Organizations should enable built-in security features within devices, operating systems, and applications. They should also deploy third-party security tools such as anti-malware, EDR, and SIEM solutions when appropriate.

These safeguards support HIPAA Security Rule technical requirements, including access controls, encryption, audit logging, and authentication. Risk analysis and risk management decisions should guide which security measures an organization implements. Organizations may need third-party solutions, such as multi-factor authentication, when native options are unavailable. Establishing standardized security baselines helps ensure consistent protection and reduces risk to ePHI.

Patching Known Vulnerabilities

Applying patches protects electronic protected health information by reducing known security vulnerabilities. Organizations must keep operating systems, applications, and device firmware, including network equipment, up to date. Maintaining an accurate IT asset inventory helps identify systems that require patching.

The HIPAA Security Rule requires organizations to identify and manage risks to ePHI, including unpatched software. Patching is an ongoing process because new vulnerabilities emerge over time. When patches are unavailable, organizations must implement alternative security measures to reduce risk to an appropriate level.

Removing or Disabling Unneeded Software and Services

Many systems include unused or preinstalled software that increases security risk by expanding the system’s attack surface. This software may include games, social media applications, messaging tools, duplicate utilities, or insecure system services. Organizations should regularly review installed software and disable or remove anything not required for business operations. Unneeded software may create default or service accounts with elevated privileges and weak or known passwords. Attackers can exploit these accounts if organizations do not manage them properly.

Organizations must change default credentials, remove unused accounts, and delete accounts created by uninstalled software. Removing unnecessary software strengthens system security, especially when patches are unavailable. Organizations should test and document changes to ensure continued protection of ePHI under the HIPAA Security Rule.

Enabling and Configuring Security Measures

System hardening requires organizations to install, enable, and properly configure appropriate security measures. Organizations should activate built-in security features on devices, operating systems, and software. They should also deploy third-party tools such as anti-malware, EDR, and SIEM solutions when needed.

These security measures support HIPAA Security Rule technical safeguard requirements, including access controls, encryption, audit logging, and authentication. Organizations should base safeguard decisions on their risk analysis and risk management plan. Some systems may require additional controls, such as multi-factor authentication, through third-party solutions. Standardized security baselines help ensure consistent protection and reduce risk to electronic protected health information.

Protect Your Organization Before It’s Too Late

HIPAA compliance isn’t a one-time project — it’s an ongoing process. At Aris Medical Solutions, our HIPAA Keeper™ system simplifies compliance with a cloud-based platform that walks you through each requirement, step by step. From risk analysis to training and documentation, you’ll have everything you need to stay protected, compliant, and audit ready.

Schedule a free HIPAA checkup today at Aris Medical Solutions.

Healthcare Cyber-Attacks on the Rise

Suze Shaffer November 1, 2022July 15, 2025

Healthcare cyber-attacks are on the rise and data breaches can cost a practice a fortune. It is no secret that patient data is valuable on the black market. Cyber criminals will try many different methods to gain access to this data.

The Office for Civil Rights (OCR) stated in their Cybersecurity Newsletter that there has been a 42% increase in cyber-attacks for the first half of 2022 compared to 2021, and a 69% increase in cyber-attacks targeting the health care sector. The number of data breaches occurring in the health care sector also continue to rise. Breaches of unsecured protected health information (PHI), including ePHI, reported to the OCR affecting 500 or more individuals increased from 663 in 2020 to 714 in 2021. Seventy-four percent (74%) of the breaches reported to OCR in 2021 involved hacking/IT incidents. In the health care sector, hacking is now the greatest threat to the privacy and security of PHI. A timely response to a cybersecurity incident is one of the best ways to prevent, mitigate, and recover from cyberattacks.

If you haven’t done so already, we recommend completing the Security Incident Procedures and Breach Notification Plan. You should add those responsible for your Security Response Team. Educate your team on identifying security incidents and how to respond to them. The quicker you can identify a threat, the sooner you can mitigate the issue.

Another area to ensure that you have in place is your inventory list to ensure you can locate which devices may be affected. In your Contingency Plan, there is a list of devices and software applications that you can use to determine which devices/applications that will need to be brought online in which order. Your IT department/vendor will assist with this process.

If it has been determined that a breach of patient data has occurred, this must be reported to the OCR. Remember to follow your state law if it is more stringent.

As with all requirements under HIPAA, you must document your process. If it is not documented, it does not exist. If there are other areas that you have questions, please do not hesitate to contact us!

To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

Cyber Alert: Ransomware Activity Targeting the Healthcare and Public Health Sector

Suze Shaffer October 29, 2020January 15, 2026

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the U.S. Department of Health and Human Services (HHS) have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.

CISA, FBI, and HHS have released AA20-302A Ransomware Activity Targeting the Healthcare and Public Health Sector that details both the threat and practices that healthcare organizations should continuously engage in to help manage the risk posed by ransomware and other cyber threats. The advisory references the joint CISA MS-ISAC Ransomware Guide that provides a ransomware response checklist that can serve as a ransomware-specific addendum to organization cyber incident response plans.

In addition to these materials regarding the most recent ransomware threat to the Healthcare and Public Health Sector, the HHS Office for Civil Rights’ Fact Sheet: Ransomware and HIPAA provides further information for entities regulated by the HIPAA Rules.

CISA, FBI, and HHS are sharing this information in order to provide a warning to healthcare providers to ensure that they take timely and reasonable precautions to protect their networks from these threats. CISA encourages users and administrators to review CISA’s Ransomware webpage for additional information.