HIPAA: Are You Prepared for a Computer Virus Incident?

Most practices assume they have HIPAA covered, but when an actual incident occurs, they find out too late that staff are not prepared or the practice is missing important compliance documentation.

Computer viruses, or malware, are so widespread that they seem impossible to prevent. The most common type of malware is a Trojan, which can contain programs designed to steal the data on your computer and network.

What happens if you can't document your compliance?

In addition to hundreds of thousands of dollars in breach costs, a covered entity was fined $150,000 after a malware infection breached patient data because of the following compliance deficiencies:

  • Adopting, but not following, sample or "template" security policies;
  • Using unsupported and unpatched software; and
  • Failing to monitor network activity to detect threats.             

What do you need to do if one of your computers is infected with malware (virus)?

1. Conduct a risk assessment.

You should have an incident response plan for a virus or malware infection that your HPAA security officer can use to investigate and respond to the incident. The plan should include the steps to keep the infected device from spreading the virus, accessing the network, and accessing the Internet as well as whom to contact to determine if the malware compromised any protected health information (PHI). If PHI was compromised and may have been accessed by unauthorized individuals, you may need to report a breach under the HIPAA Breach Notification Rule.

2. Gather compliance documentation.

You will need documentation to support the final determination of your risk assessment, whether or not you determine a breach has occurred. This may include:

  • Malware identified as a threat in your most recent risk analysis;
  • Maintaining software with the most recent security updates identified as a safeguard in your compliance plan;
  • Implementing malware prevention software (antivirus) or system identified as a safeguard;
  • Monitoring network activity and threat detection identified as a safeguard;
  • Policies that specify safeguards are to be implemented: maintaining software, malware prevention software, and network activity monitoring;
  • Documentation that your policies have been implemented; and
  • Documentation that your policies are followed after implementation, including verification that the most recent security updates were installed, malware software scans have been run, and network activity has been reviewed.

Don't wait until you have an incident. If you aren't sure if you have a complete compliance program or your HIPAA Security Officer can't easily gather your compliance documentation, visit the TMA HIPAA Resource Center to find out more about HIPAA security, and read HIPAA Security: Compliance and Case Studies, available in the TMA Education Center

Reviewed Nov. 12, 2015

TMA Practice E-Tips main page

Last Updated On

May 30, 2019

Originally Published On

August 25, 2015

Related Content

HIPAA | HIT | Risk Management