Get Live Chat Request a Callback Get live demo

← Back

Medical practice cybersecurity: 4 Sure Ways to Stop Cyber Thieves


On the beach | AdvancedMD

Medical practice cybersecurity is a major risk. Substantial fines and cost of repair for a breach of patient personal healthcare information (PHI) can be devastating to a group practice. Use these 4 measures to stop cyber thieves.

Get the free eGuide: Medical Practice Cybersecurity: “Patients for Sale” 4 Sure Ways to Stop Cyber Thieves

Physicians by and large go to great lengths to ensure their patients are safe and well cared for and that the clinic, front office and back office are all operating smoothly and efficiently.

Unfortunately, one area of medical practice is still lagging, creating a potentially major risk for doctors and patients alike: cybersecurity – the security of patients’ personal healthcare information, or PHI, stored in the electronic medical record systems.

The healthcare industry historically leads in the number of security breaches per year where sensitive personal data is lost to cyber thieves. A recent Protenus report found that healthcare cyber breaches now account for 34% of all incidents worldwide, and have jumped 151% over the past ten years, reaching a pace of one breach per day in 2017. Neglecting the cybersecurity of your patient data is equivalent to hanging out a big cyber sign saying, “Patients for Sale.”

Why Do Cyber Thieves Pick On Me?

The short answer is PHI is among the most valuable data on the planet. A recent Trustwave report found that a healthcare record may be valued at up to $250 per record on the black market, compared to $5.40 for the next highest value record (a payment card). That’s because the medical record is the most comprehensive profile of a person’s identity that exists today.

High Risks

Cyber breaches are governed by the Office of Civil Rights, OCR, an office of the Department of Health and Human Services that oversees overall HIPAA compliance. Even a small breach can result in large fines – from hundreds to thousands of dollars per record – if compliance is especially weak or lacking. Required notification and remediation costs add an additional $148 per record. And no dollar figure can capture the sentiment of patients who lose confidence in their providers as a result of a cyber hack. The results can be devastating to a group medical practice.

What You Can Do: 4 Sure Ways to Stop Medical Practice Cyber Thieves

While no system is completely impervious to hacking, implementing these four proven approaches will vastly improve your defense against cyber criminals, and will put you in a very strong position for dealing with OCR and quick recovery in the unfortunate event of a breach or audit.

#1. Know Where You Are Now – Perform a Security Risk Analysis

As a minimum, obtain a reliable checklist that is comprehensive and HIPAA-centered, and complete a self-assessment. If your practice is inexperienced in this area, a better option might be to hire an outside security company to perform a HIPAA security risk analysis.

#2. Create a Risk Management Plan

Document risks that come out of the security risk analysis, determine how they’ll be handled, and track the progress of remediation efforts.

#3. Control External Vectors

In security lingo, a vector is a pathway used by hackers to infiltrate a target system. Here are a few key defenses against outside threats, or external vectors.

  • Move to a Cloud-based System
    Leading cloud-based EHR/PM/Billing system vendors have invested millions of dollars protecting PHI, and many have dedicated security teams. It is virtually impossible for a small or midsized practice to invest sufficiently to protect data in an on-premise system.
  • Sign Business Partner Agreements
    This is a HIPAA requirement for any business partners you engage with.
  • Plug Endpoint Holes
    This includes encrypting laptops and other access devices, changing default passwords on routers and Wi-Fi access points, and securing kiosks and monitoring devices open to the public.

#4. Control Internal Vectors

In practical terms, you are only as safe as your least committed, least well-trained employee or colleague. Research shows that 53 percent of breaches originated internally.2 Here’s what you can do:

  • Thoroughly Screen Employees
    Background checks on all new hires and probing screening interviews.
  • Detailed, Ongoing Training
    Employees must be thoroughly trained on types of cyber attacks, how to recognize them, and what to do when they encounter suspicious items. Ongoing policy review is a must.
  • Listen
    Create a strong feedback loop where employees have the opportunity to ask questions, relate experiences, and share success that can help others throughout the organization.

No Patients For Sale From My Practice

Cyber criminal activity is at an all-time high and is growing worldwide at an accelerated pace. Fortunately, the good guys have developed strong countermeasures and the ability to stay a few steps ahead. The key is to understand the risks, create a strong plan, engage the right experts and technology, and constantly train and upgrade employees’ knowledge of what to look for and what to do. Now is the time to put a stake in the ground and protect your practice, and especially your patients. Their PHI should never be for sale from your practice.

Get the free eGuide: Medical Practice Cybersecurity: “Patients for Sale” 4 Sure Ways to Stop Cyber Thieves

Topic: Patient Experience, Uncategorized

Other Resources Related to This Topic


2023 Fall Release On-Demand Webinar

We’re excited to share the new features and many enhancements to our practice management, EHR,...


What You Should Know About Medicaid Redetermination

In this recorded webinar you’ll learn how to redetermine the eligibility of your client’s Medicaid...


Experts answer your HIPAA compliance and 405(d) questions

In this recorded webinar, we’ll highlight changes to HIPAA regulations and highlight best cybersecurity practices....

“The money I have invested in AdvancedMD is miniscule compared to the return. I have never been more efficient – ever – in my professional life as I am now.”

Jed Shay, MD
The Pain Care Center

Read the story  ›

“[Our] patients are very well-educated and well-informed, and they want to see results quickly. The practice has to run extremely efficiently and be accessible to them. The nice thing about [AdvancedMD] is it has allowed me to be more efficient both in and out of the office. Now I don’t have to come back into the office, which is great for my family and everything else. It saves me a lot of time – probably an hour a day on the three days I work in the second office.”

Keith Berkowitz, MD
Center for Balanced Health

Read the story  ›
Estaban Lavato, MD - La Loma Medical Center

“The best thing I ever did in private practice was getting AdvancedMD—it has liberated me.”

Estaban Lavato, MD
La Loma Medical Center

“Having integrated practice management and EHR is absolutely wonderful, you don’t have to flip back and forth between systems—all of your information is at hand when needed.”

Raju Raval, MD

Read the story  ›