You are here

Managing Your Cyber Risk

October 21, 2014


  • Evaluate
  • Mitigate
  • Manage
  • Restore
  • Improve

As a physician it is your job to ensure that your patients’ protected health information is safeguarded. Cyber attacks against hospitals and medical practices are on the rise, and it’s more important than ever for physicians to take the necessary precautions to protect their practice.

Five Tips for Protecting Patient Data

  1. Internet access should be provided through a quality router/firewall.
  2. Ensure all computer operating systems are patched on a monthly basis. These patches fix bugs and close security gaps.
  3. Use an anti-virus program. Though the program is not an absolute solution to keeping others from accessing your information, it is an important element of any comprehensive security system.
  4. Any site, program, or computer that requires a password should be given a strong and unique password.
  5. Consider using contracted IT support to ensure that all elements of security are in place and functioning properly.

Five Security Components for Managing Your Risk

  1. Physical Safeguards – to protect your facilities, computer equipment, and portable devices you should consider alarm systems, locked offices, and screen shields.
  2. Administrative Safeguards – Hire a security officer, provide workforce training and oversight, control access to information, and perform periodic security reassessments.
  3. Technical Safeguards – Implement controls on access to EHRs by requiring passwords and having different access levels. Utilize audit logs to monitor users and other EHR activities. Install measures that keep electronic patient data from being improperly changed and perform data back-ups regularly. Secure electronic exchange of patient information by performing virus checks and keeping data encrypted.
  4. Policies and Procedures – Having written policies and procedures will help assure HIPAA security compliance, proper documentation, and good security measures. Written protocols on authorized users and record retention are also a good measure.
  5. Organizational Requirements – Ensure the practice has breach notification and associated policies as well as business associate agreements.

Cloud Storage vs. HIPAA Compliant Hosting

Cloud – When using cloud storage software for patient information, the data center is the only piece of equipment that is located off site. The information that is stored in the cloud can be accessed anywhere. When in transit to, and at rest in the cloud, data must be encrypted. The cloud storage service chosen must support the data in an encrypted state to be considered HIPAA compliant.

Compliant Hosting – This is a server-based solution and is required when a medical practice chooses not to house the hardware or data locally.  Webserver, application server, and database sever are all located in the data center of a HIPAA compliant hosting provider. This service includes firewall, web or application server, and database server.

After choosing the right data storage method, utilize the aforementioned tips to help protect your medical practice from being exposed to a cyber attack. Though these tips and practices may help to minimize your risk, they do not entirely eliminate it. To protect your practice against the damages attributed to a cyber breach, consider talking to your medical malpractice carrier about cyber liability coverage.


Works Cited

Cowperthwaite, Eric. (2014, July 23). 6 steps for reducing cyber risk. 10 Best Practices for the Small Health Care Environment.

Pollard, David. 2013, July 30. HIPAA Cloud Storage vs. HIPAA Compliant Hosting- Key Differences.

Taitsman, M.D., J.D. Julie K. Grimm, M.P.A Chrisi Macrinca, and Agrawal, M.D. Shantanu. 2013, March 14. Protecting Patient Privacy and Data Security.


The information provided in this resource does not constitute legal, medical or any other professional advice, nor does it establish a standard of care. This resource has been created as an aid to you in your practice. The ultimate decision on how to use the information provided rests solely with you, the PolicyOwner.