Health Entities and Ransomware — HHS Adopts a “Blame the Victim” Strategy. Let’s See if It Works.

The HHS Office for Civil Rights settled four HIPAA Security Rule investigations tied to ransomware incidents that collectively affected over 427,000 individuals, using those cases to emphasize that inadequate risk analysis, asset inventories, logging, backups, and vendor controls can turn ransomware into enforceable HIPAA violations; the piece advises covered entities and business associates to document and operationalize risk analysis, testing, MFA, backups, logging, and incident response to mitigate regulatory and patient harms.