Computers are both a blessing and a curse.
The computing power and work capabilities of modern systems are immense. Add the power of the Internet, and productivity across healthcare skyrockets. The practice of medicine has had a quantum leap in communications and documentation, although there some grumbling about efficiency (mostly from physicians).
But then comes the curse.
The same connectivity has created new management responsibilities and empowered a new class of cybercriminals — some motivated by profit, others by disruption and notoriety. Small and midsize medical practices are no longer beneath their notice.
Cybersecurity is not optional. It is a core management responsibility.
Start with the basics
While enterprise health systems may have dedicated cybersecurity teams, most independent and physician-owned groups do not. Many medical practices still struggle to implement basic cybersecurity protections.
The risks of cyberattacks for physician practices include financial losses, disruption of patient care, damage to reputation, and potential regulatory penalties. Cybersecurity threats are rapidly evolving, underscoring the importance of staying informed and proactive.
Every practice must develop foundational security through:
- Policies and procedures
- Staff training
- System monitoring
- Corrective action planning
Critical systems such as EHRs, billing software, accounting tools, and email communications must be safeguarded.
Most common attacks
Based on industry research and federal guidance, the following are the most frequent cyber threats to physician practices:
- Phishing attacks (fraudulent emails to obtain passwords or personal data)
- Malware and ransomware (malicious software that may encrypt data and demand ransom)
- Denial of Service (DoS) attacks (overwhelming systems to render them inoperable)
- Zero-day exploits (exploits unknown vulnerabilities before patches are available
Most common management failures
- Weak or outdated passwords
- Failure to install security patches or updates
- Poor system configuration
- Inadequate supervision of users and third-party vendors
- Lack of formal policies or training
Additional management vulnerabilities include using unsecured WiFi networks and poor handling of portable devices such as smartphones or tablets. Encryption and secure management of portable devices are critical.
We suggest an annual review and assessment by practice personnel, external consultants and vendor representatives (as needed) reviewing cyber needs and concerns. This may also be recommended by insurers, and the practice can ask if there are premium credits for such diligence.
What is cybersecurity?
Cybersecurity includes:
- Protecting IT systems from attack
- Securing networks
- Safeguarding data from theft, misuse, or destruction
Effective security requires:
- Anticipating and understanding threats
- Keeping systems updated
- Training staff
- Enforcing clear protocols
The cybersecurity triad
A widely accepted framework known as the Cybersecurity Triad focuses on:
- Confidentiality: Limiting access to sensitive data
- Integrity: Protecting data accuracy and trustworthiness
- Availability: Ensuring systems and data are accessible when needed
The cybersecurity triad aligns closely with HIPAA compliance and the NIST cybersecurity framework, providing structured principles for protecting patient information and practice operations.
Key principles of a cybersecurity plan
Referencing guidance from the U.S. government and industry leaders, an effective cybersecurity plan should:
- Identify potential risks and threats
- Protect systems and assets proactively
- Detect breaches or suspicious activity
- Respond quickly with pre-developed protocols
- Recover data and system access efficiently
Cybersecurity is about prevention and resilience. Your organization may not be able to prevent every attack, but you can limit the damage.
Incident response and recovery
Every practice should document its incident response plan and perform annual tests. Quick and effective responses to breaches significantly reduce damage and recovery time. Practices should document their incident response plans and test them annually.
The role of external support
Most physician practices will need outside vendors or consultants to maintain and audit cybersecurity protections. It's important to vet vendors carefully. Ensure they understand HIPAA requirements and offer Business Associate Agreements (BAAs).
Every practice should budget for ongoing IT security investments. After surveying multiple commercial benchmarking projects, it appears 6% to 10% of total IT spending would be in a reasonable range. A practice with an annual IT budget of $300,000 would budget $18,000 to $30,000 for cybersecurity.
Remember: Cyber spending will be higher in the year a program is initiated, as well as in years with a major attack or other crisis.
Basic cybersecurity checklist
This checklist is designed for non-technical managers and administrators as a starting point:
Software inventory and access control
- Maintain records for all software: vendor info, renewal dates, licenses, support contacts.
- Each system should have:
- Unique admin credentials
- User-specific passwords
- Role-based access tied to job duties
- Software installation should be limited to authorized personnel.
Security software and updates
Implement critical security tools, including antivirus software to detect malicious software, firewalls to block unauthorized access, and intrusion detection systems to alert administrators of suspicious activities.
- Ensure antivirus/firewall tools are active and licensed.
- Schedule updates and document any customizations.
- Maintain logs of software patches and vendor interventions.
Devices and connectivity
- Secure Internet connections and equipment
- Evaluate the need for Virtual Private Networks (VPNs)
- Restrict administrative access to routers/modems
Onboarding and use policies
Continuous employee training is essential, including periodic mock phishing tests to maintain high levels of staff awareness and preparedness.
- Formal cybersecurity orientation for new hires
- Email account setup and testing
- Policy training (e.g., no personal downloads, no sharing of hardware)
- Multifactor authentication (MFA) for administrative accounts and critical systems
- Update passwords regularly according to a defined schedule
Data security practices
- All staff trained on HIPAA and financial data handling
- Only approved personnel use company-approved laptops/tablets
- Secure use of external storage and hard copy documents
- Lost or retired devices must be wiped and tracked
Offboarding/termination
- Prompt deactivation of system access
- Reassignment of permissions and workload
- Inventory of files and account ownership
- Cyber practices questions in exit interviews
References
- HIPAA Journal. "The Biggest Healthcare Data Breaches of 2024." March 2025. https://www.hipaajournal.com/biggest-healthcare-data-breaches-2024/
- MGMA Stat. "Medical practice leaders attuned to cyberattacks, recovery after a rocky 2024." January 2025. https://www.mgma.com/mgma-stat/medical-practice-leaders-attuned-to-cyberattacks-recovery-after-a-rocky-2024
- CISA. CISA Cybersecurity Strategic Plan. https://www.cisa.gov/cybersecurity-strategic-plan
- HSCC. Health Industry Cybersecurity Strategic Plan 2024-2029. https://healthsectorcouncil.org/the-plan/