img source:

Cybersecurity and the management of network assets isn’t an easy feat even for enterprise-level organizations. For small medical offices, the challenges can grow by leaps and bounds.

According to a report from the Health Sector Council, small health care organizations tend to have limited resources to manage their cybersecurity, but they are just as much at risk of being targeted in attacks as large organizations. As stated by Efficient IP, most small medical practices and offices are working to make sure they deliver quality patient care in a cost-effective way, but that doesn’t always leave the time or resources for in-depth cybersecurity to be a priority.

img source:

Despite the fact that it may not be an obvious priority, this has to shift, particularly as the threats facing small practices grow every year. Small practices are no less subject to legal and regulatory requirements, and it’s essential for medical practices of any size to create a strong infrastructure and network framework to protect their patients. The following are key things to know about cybersecurity as a small medical office including best practices and relevant facts.

Cyberattacks Are Common and Cause Disruption

According to data cited by the American Medical Association, criminals find value in medical files because they contain a wealth of personal and financial information. That data can then be used for various fraud-related purposes. A survey conducted by the AMA and Accenture that looked at 1,300 physicians found more than four out of five surveyed physicians were a victim of a cyber attack at some point. Phishing was the most common type of attack reported in that survey. The next most commonly reported attack was the infection of computers with viruses and malware. When a practice is the victim of a security breach and patient data is compromised, it can cause significant disruptions in the business.

For example, the same AMA survey shows that 64% of medical practices experiencing a cyber attack-related shutdown had their systems for down for at least four hours, and 20% said they were down for five to seven hours. Twelve percent were done for anywhere from one to two days.

Third-Party Cybersecurity Resources

Most small medical practices rely primarily on IT vendors as an integral part of the cybersecurity plan. While this is normal, it does make it important for practices to ensure they are vetting their IT and third-party security vendors appropriately, because if the vendors are targeted or don’t meet medical regulatory requirements, then it creates a problem for the practice itself.

Cybersecurity Has to Be Part of a Practice’s Culture

img source:

Medical practices have to start building out their plans for cybersecurity based on the fact that these are cultural elements of the business. Too often, smaller medical practices will try and tack on cybersecurity messages as they go, without any real fundamental understanding of how these fit into their overall framework and day-to-day work.

Small practices should focus on ensuring all employees and relevant stakeholders including the provider team is well-trained on cybersecurity best practices and that training is ongoing to reflect the evolution in needs. Understanding the importance of cybersecurity should start at the top, and ensuring the security of all information should be a core value of all medical practices.

Don’t Overlook Mobile Devices

Shot of a doctor looking at his cellphone

Mobile devices are becoming increasingly commonly used in practices, and they offer new opportunities for providers in terms of flexibility and accessing information when working with patients. However, there are cybersecurity risks to take into account too.

For example, any mobile device carries an inherent potential for theft. Mobile devices must have authentication and access controls, and there has to be a strong sense of physical control when it comes to the handling, management, and storage of the device.

Maintaining IT Systems

img source:

A small medical practice will have a variety of hardware and cloud-based assets in most cases. The entire IT system, of which EHR systems are an integral part, need to be well-maintained.

The systems need to be configured with the highest levels of security in mind. If there are applications or software installed on a network that are no longer being used, they need to be uninstalled right away. A medical practice can’t afford to accept the standard automatic configurations that come with their software, which means they often need to turn to outside third-party experts to help them in setting up their networks and the assets that are part of the network. All software used in a medical practice needs to be regularly updated, and pertinent parties should be aware of how updates are sent out with all software.


img source:

A firewall is something that protects a network and the EHR system against threats from the outside. Some EHR systems are disconnected from the internet, but if not, a firewall will need to be put in place. A firewall prevents entrance from threatening parties altogether, whereas something like a virus protection software platform can search for threats that have already come into the system. Firewalls can be hard- or software. In simplest terms, the role of a firewall is to take the information and input coming into a system from outside of the system and decide whether or not it should be permitted in, based on specific criteria.

Make a Plan

Sometimes even with the best protections and well-trained employees, things can go wrong. There are not only cybersecurity attacks to be cognizant of, but also things like natural disasters that could impact patient records and network assets. Medical practices need to approach this in a multi-layered way. There should be secure backups of all patient records and data, paired with a recovery plan. Finally, access control is an integral part of cybersecurity in small medical practices, as well. Access control means that you set permissions, often manually in a smaller setting, that indicate who can access what. Of course, the general rules of cybersecurity apply in small medical settings as well, such as strong password protection across devices and accounts.