Cybersecurity: 10 Steps to Protect Your Patients’ Data and Privacy

As more and more of our everyday lives and information move online, cyber risks from hackers, malware, denial of service attacks, and ransomware attacks continue to increase. There are cybersecurity risks to everything from the nation’s energy infrastructure to personal health and financial data — with the latter putting physician practices squarely in the risk zone.

Generally speaking, what’s at stake? Breach of privacy. Loss of data. Loss of money. Service disruption. And even loss of trust — trust in technology, certainly, but people also lose trust in an organization responsible for a cyber breach. Especially for physicians, having and keeping your patients’ trust is critical.

Cybersecurity Awareness Month is a great time to evaluate your practice to ensure you’re doing everything you can to protect your patients’ data, privacy, and continuity of care.

Strengthen EMR and EHR Cybersecurity

The American Medical Association recently released detailed cybersecurity resources for physicians, including an updated 2022 guide on Electronic Medical Records in Healthcare from the U.S. Department of Health & Human Services (HHS). The guide details benefits and risks of using EMRs and EHRs, such as vulnerability to hacking. The guide also reviews specific threats to EMRs and EHRs, including ways to protect against each threat, as well as strategies to strengthen cybersecurity.


Email is an “easy” way for hackers to get into your practice. Many phishing schemes and ransomware attacks target email systems — where staff who use email can inadvertently fall victim to these threats. Phishing attacks take the form of malicious emails that trick recipients into clicking a link or downloading a file that exposes their computer to malware, which can do everything from destroying files to releasing a virus. Ransomware, also shared via email, is software that can hold your systems or data hostage until a ransom is paid.

The HHS and the U.S. Cybersecurity & Infrastructure Security Agency (CISA) have detailed prevention resources for both: Counter-Phishing Recommendations for Non-Federal Organizations and Ransomware: What It Is and What To Do About It.

Take Action

Here are some helpful ways you can strengthen your cybersecurity and take action to protect your patients’ data, privacy, and continuity of care:

  • Training: Educate all staff on cybersecurity risks and responses as well as proper use of email and other systems to ensure security protocols are applied and followed.
  • Added protection: Supplement the cyber protections offered by 3rd party providers and vendors to address any gaps in systems and services.
  • System backups: Ensure all critical systems are regularly backed up and can be readily accessed as needed.
  • Planning: Develop detailed incident response plans, just like for disaster response, including the importance of contacting law enforcement as soon as possible.
  • Updates: Regularly perform system and network updates so their security protections are the most current.
  • Access review: Determine which staff, vendors, and other outside parties need to have access to your network and other systems and ensure those who don’t need the access don’t have it.
  • Passwords: Use strong passwords and change them frequently to maximize their effectiveness. Make sure all staff are protecting their confidential passwords.
  • Remote protection: Assess remote workers’ security to ensure it’s buttoned up, including systems access, password use and storage, personal computers and networks, and general cyber safety protocols staff should be following.
  • Mobile protection: Ensure staff who use mobile devices for email and network access have strong passwords, encrypted data, and updated security apps.
  • Insurance: Protect your practice with cyber-related coverage. The MSV Insurance Agency (MSVIA) specifically offers Cyber Liability Coverage that expands coverage beyond standard professional liability.

Cybersecurity is important for your practice every day. It’s not something to think about once in a while or even once a year, although Cybersecurity Awareness Month is a perfect time for a reminder. Make training, updates, reviews, and assessments part of your regular business operations to give you the peace of mind of knowing you’re doing everything you can to protect your patients’ data, privacy, and continuity of care.