By Greg Freeman
The Office of Civil Rights (OCR) recently announced the ninth settlement to resolve an investigation of a ransomware attack. Virtual Private Network Solutions agreed to pay a financial penalty of $90,000 and comply with other obligations after OCR determined it failed to conduct a HIPAA-compliant risk analysis. It is the latest in a string of settlements involving a failure to conduct risk analyses.
More information on the settlement is available online at https://bit.ly/4jOWHZH.
After a challenging 2024 marked by numerous healthcare breaches that tested patient trust, OCR responded with multiple enforcement actions in early 2025, says Joe Oleksak, partner with the tax and consulting firm Plante Moran in Schaumberg, IL. These actions, combined with a proposed modification to the HIPAA Security Rule, signal a heightened focus on strengthening cybersecurity protections for electronic personal health infomation (ePHI), he says.
“Healthcare organizations should take these developments as a clear call to elevate their approach to cybersecurity and compliance, with particular emphasis on proactive risk management, breach response, and organization-wide accountability,” Oleksak says.
He says these are the key takeaways from the settlements:
- Organizations must conduct comprehensive risk assessments that go beyond information technology (IT) departments. This identifies vulnerabilities across policies, processes, and third-party dependencies.
- Organizations must have robust plans to identify and correct vulnerabilities before they can be exploited. This includes regular updates, patches, proactive monitoring, maintaining regulatory awareness, and providing detailed executive reporting.
- Ensuring timely and compliant breach notifications is essential. Effective communication protocols help maintain patient trust and meet HIPAA requirements.
- Continuous training and adherence to HIPAA policies and procedures across the entire organization are vital. This helps create a culture of compliance and security awareness.
Many organizations fall into the trap of confining cybersecurity to the IT department, overlooking significant risks in the process, Oleksak says. He notes these common points of failure and strategies to address them:
- Security often is viewed as an IT responsibility by executives and business leaders. However, cybersecurity compliance extends beyond technical aspects (e.g., third-party risks, supply chain vulnerabilities) and includes people, policies, and procedures. It requires executive leadership’s attention to address business dependencies and organizational blind spots.
- Relying solely on IT and internal controls without independent assurances can create blind spots and regulatory gaps. Independent HIPAA risk assessments, incident response and business continuity tabletop exercises, and penetration testing provide an external perspective, uncovering vulnerabilities and risks that might be overlooked internally. These assessments ensure that security measures are comprehensive and align with regulatory expectations
“OCR’s recent enforcement actions and proposed HIPAA updates reflect a clear emphasis on proactive security measures and stricter accountability. The significant number of healthcare breaches in 2024, which tested patient trust and organizational resilience, will continue to shape oversight throughout 2025 and beyond,” he says. “The enforcement actions in 2025 have underscored issues, including inadequate risk analysis, insufficient security protections, and delays in breach notifications. These same shortcomings are central to the proposed changes to the HIPAA Security Rule, further signaling OCR’s intent to maintain intense scrutiny in these areas.”
Looking ahead, Oleksak says organizations also should anticipate new compliance requirements. Among these is the likely introduction of mandatory annual independent HIPAA Security Audits, mirroring practices already established in the financial sector. While the proposal is pending finalization, it is a strong indication of OCR’s commitment to elevating cybersecurity standards and ensuring that entities not only comply with existing rules but also proactively adapt to evolving threats, he says.
These settlements underscore the importance of performing thorough HIPAA risk analyses to identify potential vulnerabilities and prevent ransomware attacks, says Adhiran Thirmal, senior solutions engineer with Security Compass in Toronto.
“A thorough HIPAA risk analysis isn’t just a regulatory box to check. It’s an essential part of an organization’s security framework. The settlements show that OCR is making it clear that organizations must be proactive in identifying and addressing cybersecurity risks,” he says. “A comprehensive risk assessment allows organizations to spot potential weaknesses, prioritize their cybersecurity efforts, and implement safeguards before an incident occurs. It’s about being prepared for the worst while working to prevent it. Covered entities should use these cases as a wake-up call to strengthen their cybersecurity posture and treat risk analysis as an ongoing process, not a one-time task.”
Failing to conduct an adequate or timely risk analysis is like leaving the door unlocked and expecting no one to walk in, Thirmal says.
“These entities could have done a lot to protect themselves. They could have identified gaps in their systems, implemented stronger encryption, or improved access controls. It’s not just about having strong defenses in place, but about constantly assessing whether those defenses are still adequate as new threats emerge,” he says. “If they had conducted regular risk analyses and updated their cybersecurity practices accordingly, they might have caught vulnerabilities before cybercriminals could exploit them. Essentially, they missed the opportunity to fix the weak points in their security — leading to breaches that could have been prevented with a bit more foresight.”
Some of the recent settlements involved business associates who failed to conduct compliant risk analyses under the HIPAA Security Rule, notes Elizabeth Heddleston, JD, principal with the Woods Rogers law firm in Roanoke, VA. Covered entities share vast amounts of protected health information (PHI) with their business associates, but these vendors do not always have sufficient safeguards to protect sensitive patient information, she says.
“Covered entities must vet their business associates before entrusting them with PHI. At a minimum, covered entities should request documentation verifying that these vendors are performing risk analyses and have appropriate safeguards to protect PHI,” Heddleston says. “Business associates are required to comply with the HIPAA Security Rule, and it’s a red flag if they are not performing a HIPAA-compliant risk analysis.”
An effective risk analysis requires an entity to essentially map all the electronic PHI maintained by the organization, including where it is stored and how it flows, she says. Once an entity has mapped its PHI, it must thoroughly identify potential risks and vulnerabilities to that PHI. This allows an entity to develop a strategic plan for mitigating those risks.
“Covered entities and business associates not performing compliant risk analyses will likely receive more scrutiny from OCR and are at heightened risk for fines and penalties. OCR is sending a strong message that risk analyses are the foundation of an effective HIPAA compliance program and can play a role in warding off cyber-attacks,” Heddleston says. “While there is some uncertainty around enforcement priorities in light of the transition in the White House, I expect to continue to see continued enforcement in this area.”
Sources
- Elizabeth Heddleston, JD, Principal, Woods Rogers, Roanoke, VA. Telephone: (540) 983-7741.
- Joe Oleksak, Partner, Plante Moran, Schaumberg, IL. Telephone: (847) 628-8860. Email: [email protected].
- Adhiran Thirmal, Senior Solutions Engineer, Security Compass, Toronto, Canada. Email: [email protected].
Greg Freeman has worked with Relias Media and its predecessor companies since 1989, moving from assistant staff writer to executive editor before becoming a freelance writer. He has been the editor of Healthcare Risk Management since 1992 and provides research and content for other Relias Media products. In addition to his work with Relias Media, Greg provides other freelance writing services and is the author of seven narrative nonfiction books on wartime experiences and other historical events.
The Office of Civil Rights recently announced the ninth settlement to resolve an investigation of a ransomware
You have reached your article limit for the month. Subscribe now to access this article plus other member-only content.
- Award-winning Medical Content
- Latest Advances & Development in Medicine
- Unbiased Content