Alleged ransomware attacks targeting hospitals around the country have been used as examples to stress methods of disruptions to hospital systems. While it should come as no surprise to learn that hackers put hospitals and EHR systems at risk, it is telling to discover the majority of failures were not due to cybercrime.

According to a study released by the Officer of Inspector General (OIG) for the Department of Health and Human Services (HHS), nearly 60 percent of hospitals have experienced electronic health record (EHR) disruptions, resulting in delayed patient care for nearly a quarter those hospitals.

The most common contributing factors were attributed to the following:

  • Hardware malfunction
  • Internet connectivity issues
  • Power failures
  • Natural disasters

Hacking accounted for less than one percent of these factors. With numerous hacking reports becoming public knowledge, how can this be possible? It’s simple—the report’s data was collected in 2014. Previously, hackers targeted individuals with ransomware, locking them out of their computer, then demanding a fee be paid before it unlocks your device. Now, businesses are more commonly attacked with malicious software crafted to work in a similar manner.

The good news is that better deterrence measures are being set in place, “Since we administered this review awareness of cybersecurity threats, health information technology has grown,” according to HHS Inspector Daniel Levinson.


There is no denying the increase in hacking incidents of healthcare providers and other businesses. As hospitals and medical offices begin to utilize EHRs and digital tools, the key takeaway from this report is to be prepared for any potential threat. “Disruptions to EHRs from these and other threats can present significant safety risks to patients. Contingency plans are crucial because they are designed to minimize the occurrence and effects of such disruptions,” wrote Levinson.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) imposes regulations to protect the privacy and security of health information. The following required protective measures should be in place:

Contingency Plan

  • Data backup plan
  • Disaster recovery plan
  • Emergency mode operations plan
  • Testing and revision procedures

Risk Analysis and Management

  • Identify likelihood impact of prospective risks
  • Implement adequate cybersecurity measures compliant with the National Institute of Technology and Standards
  • Maintain documentation of security measures and reasons chosen
  • Remain consistent with appropriate security measures

Administrative Level

  • Provide proper training for employees
  • Periodically assess security processes knowledge level of employees
  • Designate a security official to develop and implement security policies and procedures
  • Actively monitor phishing attempts
  • Store maintained backup copies offsite
  • Back up data frequently

In March 2016, HHS Office for Civil Rights began another round of HIPAA audits, releasing information related to the threat of ransomware in mid-July. Those found not in compliant with HIPAA are considered to be HIPAA breaches and may face penalties.

Raintree Systems is dedicated to helping you develop and implement an HIPAA-compliant contingency plan, as well as identify potential risks to your current EHRs. To speak with an expert, call us today at (800) 333-1033.