8 Cybersecurity Tips for Healthcare Practices

60% of small businesses close within six months of a cyberattack. Healthcare data fetches $200-300 per record on the dark web. A practice with 10+ years of operation can easily have 100,000+ records, a $20-30M target.

Small practices aren’t invisible. They’re “soft targets” hackers prefer because they hold millions in patient data but lack the defenses of larger systems.

Why this matters now

Healthcare sees more breaches than any other industry. Attacks are fully automated now. As Tim Grelling from Focus Solutions notes, “If you’re on the internet with employee email addresses, you’re on somebody’s radar.”

The marginal cost to attackers is zero. They scan the entire internet for vulnerabilities regardless of your size.

These aren’t individual hackers hunched over keyboards anymore. Ransomware groups operate like businesses with help desks to ensure “customer satisfaction” when victims pay ransoms. If you haven’t experienced a breach yet, you’re simply waiting.

The 8 cybersecurity tips

1. Use phishing-resistant multifactor authentication (MFA) everywhere (not just email)

Why it matters:

Basic MFA isn’t enough against modern attacks like push bombing and MFA fatigue. Even if someone clicks a phishing link, proper MFA can save you from complete system takeover.

Tim emphasized this point: “If you don’t have multifactor authentication, please do that today… even if someone clicks on phishing, MFA often can save you.” Credential-based attacks remain the leading cause of healthcare breaches. Simple approve/deny push notifications can be defeated through persistence attacks.

What to do:

Set up MFA across all critical systems: EHR/PM platforms, billing systems, imaging systems, vendor portals, and every administrative account. Preferred methods include number-matching (not simple approve/deny), FIDO2 keys, and conditional access policies.

Take a phased approach. Start with admins and finance roles first. Then roll out to all users over 60-90 days.

Quick win: 

Turn on number-matching for push notifications this week. It’s often a simple toggle in your authentication settings and immediately blocks push-bombing attacks.

Access controls matter, but they’re only as strong as the passwords protecting them. That’s where the next tip becomes critical.

2. Stop password reuse with a password manager or SSO

The reality:

The “pizza app to work login” attack chain is real. Jeffery Daigrepont from Coker Group explains  how attackers exploit this: “When they hack their pizza app, they’re probably using the same password for that app that they use to sign into their computer.“

Attackers find where you work on LinkedIn. They guess your email format from your website. They try stolen credentials. “Just use stronger passwords” doesn’t work for busy clinical staff juggling 10+ logins daily.

What to do:

Set up SSO (single sign-on) for your most-used applications to cut down password fatigue. Add a healthcare-appropriate password manager for apps that can’t use SSO. Turn on breached password blocking in your authentication systems. Microsoft and Google both offer this feature.

Make personal password hygiene part of security training. 40% of breaches originate from insider threats, not rogue employees, but staff who got compromised in their personal accounts first.

Quick win: 

Audit how many unique passwords your average staff member manages. If it’s more than 5, you need SSO or a password manager immediately.

Strong passwords and MFA create your first line of defense. But who still has access to those systems matters just as much.

3. Run quarterly access reviews (who can see what)

Why this creates risk:

Permission creep happens when you grow, staff leaves, or you add new systems. Former employees, contractors, or vendors often retain access months after they should. The “least privilege” principle prevents one compromised account from accessing everything.

What to audit:

Review EHR access roles. Does front desk staff really need billing module access? Check shared mailboxes and distribution lists for dormant accounts. Audit vendor and third-party access, especially EHR support, billing companies, and clearinghouses.

Scrutinize admin and privileged accounts. These should be time-limited, not permanent assignments. Review “all staff” file shares that might contain PHI (Protected Health Information). These are gold mines for attackers who gain any employee access.

Quick win: 

Start with just your admin accounts this month. Who has admin rights? Do they all need them? Is MFA enforced for every single one?

You’ll likely find at least 2-3 accounts that shouldn’t exist.

Technology controls only work if your team recognizes threats when they see them. That’s where training becomes your strongest defense.

4. Train staff on social engineering, not just annual checkbox training

The human factor:

Annual slide-deck training doesn’t change behavior. Cadence and relevance do. Attackers exploit healthcare workers’ helpfulness with scenarios like fake patients asking front desk staff to “just log into this portal.”

As Jeffery shared, “What front desk person doesn’t want to be helpful?” Hackers use OSINT reconnaissance (LinkedIn, your website) to profile staff. Then they launch targeted phishing that mimics vendors, HR, or EHR notifications. They exploit urgency and helpful instincts.

What actually works:

Set up a 90-day training cycle with simulated phishing exercises. Create role-based micro-lessons. The front desk faces different threats than the billing staff. Add one-click reporting of suspicious emails and celebrate fast reporters.

Build executive reporting that shows metrics improving over time. This demonstrates ROI and maintains leadership support.

Quick win: 

Test your team this month with a simulated phishing email. Track who clicks and who reports. Build your training plan around the gaps you discover. This is what moving from reactive firefighting to proactive protection looks like.

While training addresses human vulnerabilities, understanding your cloud responsibilities closes technology gaps that practices often overlook.

5. Know your cloud security responsibilities (it’s not all on the vendor)

The dangerous assumption:

Most practices assume their cloud EHR vendor handles all security. They don’t. The “shared responsibility model” means you’re still accountable for access controls, endpoint security, and data handling.

As Tim noted, “Understanding who is responsible for what in cloud environments is the key… Someone else is doing some of them, but you’re still responsible.” Misconfigurations on your end can expose patient data even when the vendor’s infrastructure is secure.

Common gaps practices miss:

Weak passwords and lack of MFA on cloud application accounts top the list. Unprotected endpoints accessing cloud systems (staff personal devices) create vulnerabilities. Mishandled data exports and local backups often bypass vendor security entirely.

Third-party integrations you’ve authorized without proper vetting open backdoors.

What to do:

Understand what your EHR/cloud vendor secures, usually, infrastructure, application security, and data encryption at rest. Know what’s on you. Typically, user access management, endpoint security, proper use policies, and third-party app permissions.

Document who owns what in your environment. Create a simple responsibility matrix that your team can reference.

Quick win: 

Ask your top 3 cloud vendors for their shared responsibility documentation. If you can’t get it, that’s a red flag about the vendor relationship.

Knowing your responsibilities is step one. Knowing how to respond when things go wrong is equally critical—and that’s what most practices discover too late.

6. Run a 60-minute tabletop exercise (before a real incident)

Why preparation matters:

Most practices discover their response gaps during an actual breach. Too late. Knowing who owns what, how to communicate, and when to call authorities saves critical time.

The difference between an “incident” and a “breach” often comes down to how fast you respond and what you document. October is Cybersecurity Awareness Month for a reason. Preparation before an incident saves practices during a real breach.

What to test in your tabletop:

Figure out who’s in charge: practice admin, IT director, or outside partner? Figure out how you’ll communicate without email if email is compromised. Establish when to call law enforcement, HHS OCR, cyber insurance, and legal counsel.

Plan how you’ll continue patient care during system downtime. Verify where your backups are and how fast you can restore them.

What to document after:

List gaps you discovered: missing contact info, unclear roles, and no offline backup plan. Assign owners and due dates for each gap. Update your incident response plan and store it somewhere accessible if systems go down.

Quick win: 

Schedule one hour next month. Walk through a ransomware scenario with key staff. Document every “we don’t know” or “I thought someone else handled that.”

Response planning protects you during a crisis. But preventing unauthorized access in the first place starts with controlling your most powerful accounts.

7. Review privileged admin accounts and enforce MFA coverage

The crown jewels:

Admin accounts unlock everything. Many practices have 3-5x more admins than they need: vendors who set up systems and never lost access, former IT staff, temporary contractor accounts.

A single compromised admin account can exfiltrate your entire patient database in hours.

Week 1 action plan:

Count every account with admin privileges across all systems. Check MFA coverage. Which admins don’t have it? This is unacceptable. Fix immediately.

Sweep for suspicious mailbox rules and forwarding on admin accounts. Review recent admin activity logs for unusual sign-ins.

What to fix:

Remove dormant admin accounts. If they haven’t logged in for 90 days, they don’t need admin rights. Implement time-bound elevation where admins get temporary elevated access only when needed.

Require phishing-resistant MFA for all privileged accounts. Set up alerts for admin account activity outside business hours or from unusual locations. Microsoft Sentinel and similar tools can automate this monitoring.

Quick win: 

Run an admin account audit today. You’ll likely find at least 2-3 accounts that shouldn’t exist and several more that should be downgraded.

Individual security controls matter. But when IT, security, and data operate in silos, gaps emerge that no single control can close.

8. Consolidate vendors to close security gaps

The fragmentation problem:

The “vendor juggling” problem creates security blind spots. When IT, security, and data are split across multiple vendors, issues fall through the cracks. Hand-offs between vendors slow incident response when speed matters most.

Fragmented vendors mean fragmented accountability. Nobody owns the outcome.

The gaps vendor fragmentation creates:

During a breach, precious hours are lost coordinating between multiple vendors while attackers move laterally. Your IT vendor says, “that’s a security issue.” Your security vendor says, “that’s an IT configuration issue.” Security controls don’t stick in daily operations because IT and security aren’t aligned.

Compliance becomes harder when you’re stitching together reports from 5 different sources for auditors.

The Unified Partner approach:

When IT, security, and data services work under one accountable team, incident response accelerates. One team sees the whole picture. Security controls actually work in day-to-day operations because the people implementing them understand your workflows.

You get simplified compliance reporting and audit readiness. Our enhanced network and data security services combine security expertise with operational understanding.

Quick win: 

Map out your current vendor landscape. How many different companies touch your IT, security, and data? If it’s more than 3, you’re creating risk and response delays.

Where to start (prioritization framework)

You don’t have to do everything at once. Pick 2-3 tips that address your biggest current gaps. Start with the “quick wins” from each section.

Build momentum with small victories before tackling larger projects.

Suggested priority order:

1. This week: Enable MFA with number-matching for all admin accounts (Tip 1 + Tip 7)
2. This month: Run your first tabletop exercise (Tip 6) and audit admin accounts (Tip 7)
3. This quarter: Implement SSO or password manager (Tip 2) and establish quarterly access reviews (Tip 3)
4. Ongoing: Security awareness training cadence (Tip 4)

Start where the gaps are most dangerous. Build stability through consistent practices. Then enable better care delivery with comprehensive security.

How Focus Solutions helps you implement these tips

You can implement many of these steps with tools you already own. Where we help is orchestration, speed, and alignment, getting IT, security, and data to work together without slowing care.

Our Unified Partner approach means one team, one path: fix what’s broken, stabilize what’s chaotic, and enable what’s possible. We work exclusively with healthcare organizations, so we understand the unique pressures you face: multi-site growth, compliance requirements, and the human factors that drive risk.

Our service delivery platform is built for healthcare realities. We help practices move from reactive firefighting to proactive security that supports clinical operations. Learn more about our healthcare technology support and how we align technology with your growth goals.

Take action this Cybersecurity Awareness Month

October is the time to move from awareness to action. The key message of Cybersecurity Awareness Month 2025 is simple: small, consistent steps create real protection.

You don’t need massive budgets or tech expertise to improve security. Start now. Every tip you implement reduces risk and builds momentum toward genuine protection.

Schedule a security baseline review: Not sure where your biggest gaps are? Let’s find out together. In 30 minutes, we’ll identify your three fastest risk reducers, show you exactly what each fix looks like in your specific environment, and create an action plan tailored to your practice’s systems and workflows.

This Cybersecurity Awareness Month, give your practice the protection it deserves. The attackers aren’t waiting. Neither should you.

Schedule a risk assessment