Mary J. Hildebrand CIPP/US/E, partner and Chair of Lowenstein’s Privacy & Cybersecurity group, comments in TechRepublic on the risk of ransomware to startup and midsize healthcare companies, observing that there is no “one-size-fits-all” solution. "For every organization that adamantly refuses to cooperate, there is another one that weighs the relative costs of non-compliance in terms of interrupted healthcare, costs, expenses and reputational risk, against the amount demanded, and decides to wire the funds," she says.

In a second TechRepublic article on the subject, she addresses disclosure requirements under HIPPA when ePHI (electronically protected health information) is compromised. "OCR argues that ePHI was acquired during the encryption process, unless the covered entity that was attacked can prove otherwise," she says. "As any healthcare organization that has wrestled with this issue can tell you, this is a high bar to meet." Hildebrand recommends being prepared with a disaster recovery plan that “includes data back-ups, applications, infrastructure/cloud capacity, and appropriately skilled staff,” and keeping messages to employees and patients “brief, factual, and timely.”