"The new HHS guidance is going to really ratchet up people's attention, because now you're also talking about big fines from the government, as well as the effects of the ransomware."
Conceivably, certain ransomware attacks might still not rise to the level of a HIPAA breach, but the conditions seem unlikely, Sittig says.
"Unless you can prove the data didn't leave the system and that it was encrypted, then you have to report it as a HIPAA breach," he says.
CMS guidance and HIPAA violations or not, Sittig expects ransomware attacks to continue as long as the ransom-demanders stand to make any money.
"The only problem with that is a few of the people that have paid the ransoms haven't gotten their data back," he says.
"If they don't release the data when someone pays the ransom, it will quickly get out, and no one else will ever pay a ransom again. But people are not going to stop doing ransomware just because the government puts out a thing like this. They're going to keep doing it until it doesn't pay anymore."
For more on ransomware and data breach strategies, join Hussein Syed, chief information security officer, Barnabas Health, for the HealthLeaders Media webcast, "Preparing for Ransomware and Surviving Today's Data Breaches" on Wednesday, July 20 from 1:00 – 2:00 PM ET.
Scott Mace is the former senior technology editor for HealthLeaders Media. He is now the senior editor, custom content at H3.Group.