How to Prevent Costly and Dangerous Cyberattacks

Greg A. Hood, MD


April 25, 2017

In This Article

Educating Staff Is Vital

Teaching staff to be particularly careful with emails, particularly those with attachments, and text messages is essential. Emails that look very legitimate may have telltale signs, such as the source links, to help with fraud detection.

These electronic attacks can be very deceptive and appealing. Not only do they still succeed at an alarming rate, but it is true that even telephonic impersonations succeed today, despite HIPAA prohibitions and precautions. In fact, HIPAA places a particular burden upon every practice to meet compliance and risk abatement best practices routinely.

The first and foremost step in cybersecurity is management of personnel. They must be taught, and reminded, of how important security is to the practice. Failure to maintain security can lead to data loss and related expenses; slowed access and responsiveness at work terminals; and loss of system integrity, ransomware, and even practice closures, whether temporary or permanent—with commensurate changes in employee paychecks.

Basic levels of practice protocol should include making sure that all systems use up-to-date operating systems and browsers and that they are regularly updated. It is tragic how out of date some practice's systems can become.

There are also resources available, including those from the Internal Revenue Service and the US Securities and Exchange Commission, that provide tips on how to avoid phishing and scams.

Emails Are Targets

Despite browser and security updates, email remains vulnerable. It is essential that staff privileges be curtailed when it comes to accessing services at work—especially social media. That means you need to have a policy in place regarding your staff using social media from work. Communicate that policy, and be prepared to enforce it. Of course, that raises the problem of, how do you know whether they do it or not?

The combination of home and work via smartphones also poses a risk, because they contain both social media apps and apps for accessing electronic health records (EHRs) and portals.

The security of text messaging is another common vulnerability for which additional apps are available to improve HIPAA compliance and security. Such vulnerabilities may be limited by meeting current goals of having every provider practice to the full extent of their licenses.

Staff should only be "licensed" enough to complete their job description. Furthermore, if traffic patterns suggest access to certain external websites or types of websites, the access to these sites should be reviewed and access prevented.


Comments on Medscape are moderated and should be professional in tone and on topic. You must declare any conflicts of interest related to your comments and responses. Please see our Commenting Guide for further information. We reserve the right to remove posts at our sole discretion.