HIPAA, Cybersecurity and Physician Practices

Cyber breaches are a growing concern for all industries, but the size and multiple access points of a healthcare system make the industry especially vulnerable to these incidents. From 2019 to 2020, healthcare experienced a 71% increase in cyber breaches/incidents. Recently, physician practices have become an increased focus of cyber threats. As major hospitals and health systems implement robust cyber protocols, bad actors are shifting their focus and looking for smaller windows of opportunity downstream to take advantage of for a quick payout.  

How Attacks Occur

Employee error typically presents the largest vulnerability hackers exploit, and email is often the chosen point of attack. Healthcare facilities have a host of critically important data at stake, and this data is protected by The Health Insurance Portability and Accountability Act of 1996 (HIPAA). Violating HIPAA rules and regulations can lead to significant fines and other costs, so knowing what is reportable under HIPAA and when to report is critical.

How to Protect Your Organization

Email encryption and safeguards are a must for any practice. Encryption prevents hackers from intercepting messages and ensures that only the eyes of the intended recipient can access the information. Your organization can choose which safeguard(s) best suits your needs, but outgoing emails must be HIPAA compliant. Not having the appropriate safeguard(s) in place is also considered a violation, even if you are not hacked

Inbound email security is not held to the HIPAA standard, but it can certainly help prevent a breach. Cybercriminals rely on poor inbound email security and human error to infiltrate your system.  

Employee training should occur on a regular and continuous basis. Conduct random “phishing” expeditions to assess vulnerabilities. Do your employees know what a “phishing expedition” is?  Do they know what to look for in an email? The practice is responsible for conducting a forensic audit to determine if an attack transmitted PHI outside of the network (if only encrypted data, it would be inaccessible). Your organization should ensure regularly scheduled maintenance and software patching. IT system components should also be properly maintained. Additionally, you should assess and audit charts, emails and other correspondence for appropriate/inappropriate PHI access.


Cybercriminals have been on a full-blown assault in recent years, but proper preparation can ensure your healthcare practice is ready when threats are at your front door. Talk to a trusted RCM&D advisor today for more on cyber risk mitigation strategies that can protect your organization from liability and loss. We feature an in-house Cyber Practice, staffed by experts who are at the forefront of today’s cybersecurity risk.

This blog is part of RCM&D’s “Healthcare Risk Round Up” series. For access to more timely content like this, complete the form below to subscribe to the quarterly newsletter.