Malware Issue Highlights Need for HIPAA Security Plan

Posted on 24 Aug, 2017 |comments_icon 4|By Elizabeth

Lack of firewall in secondary systems shows why risk analysis is crucial in healthcare settings.

Large organizations look at the big picture, forgetting oftentimes that it’s a small chink-in-the-armor that renders a downfall. Such is the case involving the University of Massachusetts at Amherst (UMass), who despite the best intentions, fell victim to a HIPAA disaster after a malware issue left the organization vulnerable to ePHI loss.

Background. In a recent settlement, UMass agreed to pay $650,000 in a corrective action to the government for HIPAA violations that resulted from a malware virus on a workstation, which was uncovered during an investigation by the Office of Civil Rights (OCR) in June of 2013. The issue was detected on a workstation in its Center for Language, Speech, and Hearing — also known as just “the Center” — which resulted in the loss of ePHI at UMass and affected around 1,670 individuals.

The malware problem occurred because the university lacked a firewall to protect the information of the workstation users. “UMass failed to designate all of its health care components when hybridizing, incorrectly determining that while its University Health Services was a covered health care component, other components, including the Center where the breach of ePHI occurred, were not covered components,” an HHS news release from Nov. 22, 2016 said.

HIPAA fail 101. What UMass failed to appreciate was the necessity for HIPAA compliance on auxiliary campus machinery. The Center lacked the written formalities that would have ensured the workstation coverage as a healthcare component under HIPAA, which is also known as hybridizing, the HHS news release suggests.

“HIPAA’s security requirements are an important tool for protecting both patient data and business operations against threats such as malware,” said Jocelyn Samuels, OCR director. “Entities that elect hybrid status must properly designate their health care components and ensure that those components are in compliance with HIPAA’s privacy and security requirements.”







Here’s Why Risk Analysis Is Critical

Sadly, the Center did not perform a risk analysis until after the fact, and the failure to do so snowballed as UMass didn’t have the technical safeguards in place to protect the people who used the workstation and their ePHI. Since the settlement, UMass has begun work on correcting its problems with “an enterprise-wide risk analysis” that will hopefully fix and manage future HIPAA dilemmas.

Tip: With risk analysis tools available through the HHS and reputable firms capable of quickly and efficiently assessing risk for healthcare facilities big and small, there’s really no excuse for leaving data unprotected.

Five things you can do to combat HIPAA-related issues:

  1. Assess your HIPAA risk annually either with the HHS online tool or using a reputable firm or program.
  2. Hire a health IT provider who understands what’s at stake under HIPAA and is certified.
  3. Test your software often for vulnerabilities and keep it updated.
  4. Ensure that your tech people are monitoring the firewall security.
  5. Look for antivirus products that protect against threats common to healthcare hacking.

To learn more about malware threats—as well as how to reduce your HIPAA breach dangers, tighten up your electronic health record (EHR) privacy and security, and reassess your risk analysis plan—pick up your copy of TCI’s HIPAA Handbook 2017.



To read the complete HHS news release, visit



Elizabeth works on an array of projects at TCI, researching and writing about modern reimbursement challenges. Since joining TCI in 2017, she has also covered the nuts and bolts of cybersecurity, compliance with federal laws, and how to tap into the advantages of telehealth services.

More from this author

View More

4 thoughts on “Malware Issue Highlights Need for HIPAA Security Plan

  1. I would like to show my affection for your kind-heartedness giving support to those people that need help with the area. Your very own dedication to getting the solution all around appeared to be quite significant and has helped most people much like me to achieve their objectives. Your insightful guide denotes a great deal to me and further more to my mates. Best wishes; from everyone of us.

  2. I simply had to appreciate you all over again. I’m not certain the things I would have created in the absence of these opinions contributed by you directly on such question. Completely was a real frustrating matter in my view, but observing the skilled technique you dealt with that took me to leap over fulfillment. Extremely happier for your information and have high hopes you recognize what an amazing job you are putting in training people all through your webblog. I am certain you have never encountered all of us.

  3. I really wanted to jot down a simple word so as to express gratitude to you for all of the amazing secrets you are placing at this site. My time consuming internet look up has at the end of the day been rewarded with useful know-how to talk about with my classmates and friends. I would say that most of us readers are quite fortunate to dwell in a really good community with many special professionals with insightful guidelines. I feel truly grateful to have seen the web page and look forward to really more brilliant minutes reading here. Thank you once more for a lot of things.

  4. I wish to show some appreciation to this writer for rescuing me from this type of crisis. After scouting throughout the internet and meeting methods which are not powerful, I believed my life was done. Existing without the strategies to the difficulties you’ve resolved through your short post is a critical case, and the ones that would have adversely damaged my career if I hadn’t come across your web page. That capability and kindness in playing with every aspect was very helpful. I don’t know what I would’ve done if I hadn’t come upon such a step like this. I can also at this point relish my future. Thank you so much for your professional and result oriented help. I won’t be reluctant to endorse the blog to any individual who needs direction on this situation.

Leave a Reply

Newsletter Signup