Small Medical Offices: How to Stay on the Right Side of Data Security

Published August 28, 2019 | Categories: IT Services , System Administration

In the last decade, the healthcare industry has undergone a dramatic evolution in the way that medical records are managed. If you work in the medical field, whether as a doctor, nurse, technician, or administrator, you could not escape the implication of the “big switch” to EMR (electronic medical records).

The change from paper to electronic record-keeping was a needed step forward. EMR saves time, money, and all those trees, in addition to improving actual patient care. But, while considerable efforts were expended to convince everyone – from the largest healthcare systems to individual medical practices – to adopt this more tech-forward approach, not as much attention was paid to the vulnerabilities of a healthcare system so reliant on tech.

Let’s be clear, EMRs did not cause the astronomic spike in cybercrimes of recent years. But, in the rush to adopt a better system, it’s possible that not enough was done to protect that system from people who’d want to exploit it.

As a result, it’s not uncommon to find headlines like these:

The Verge’s Nicole Wetsman provides a succinct summation:

“Despite the rising threat, the vast majority of hospitals and physicians are unprepared to handle cybersecurity threats, even though they pose a major public health problem.”

But, Is Cybersecurity a Problem for the Little Guys?

The short answer… yes. One of the biggest hurdles to creating a safe and secure IT network for your small medical or dental practice is thinking that you’re too small a fish for anyone to bother with.

“Most small businesses, including medical practices, think they’re too small to be a target to hackers. Unfortunately, medical data is a prize most hackers want to get their hands on and they will specifically target small medical practices expecting to find little to no cybersecurity in place.” –, 4/13/2017

Don’t let the size of your business fool you into thinking that you’re immune to being targeted by cybercriminals. The cybercrime epidemic is not slowing down. But, if you’re one of those small medical practices, there is good news: it just might be easier to protect a small office from hacking than a complex, sprawling healthcare system.

Cybersecurity & HIPAA Compliance

While it isn’t a silver bullet, the U.S. government does provide guidelines and standards for setting up secure networks to store and maintain private health data. These instructions are included with a host of other requirements governing the management of personal medical information. However, they are not easy to parse, especially for medical practices lacking experienced IT staff.

That said, the requirements for small medical practices with just one or two locations are considerably less than for large healthcare systems with numerous locations and thousands of patients. Even so, compliance is not always a snap, and the penalties for coming up short can be severe (up to $50,000 per HIPAA violation).

How to Protect Your Medical Practice From Cybercriminals & Stay HIPAA Compliant

So, what do you need most to keep your electronic records and IT network secure? It helps to have a trusted partner who can combine expert knowledge in IT and data security with specialized knowledge of HIPAA.

Step 1: The Audit

Before you can fix a vulnerability, you have to be aware that a vulnerability exists in the first place. To that end, it helps to conduct a thorough audit of your existing network setup and see what’s what. The results should then be compared to the requirements spelled out by HIPAA.

While the audit could be conducted by your internal IT staff (if you have it), it’s best to let an outside consultant perform the assessment. That approach typically leads to better, more accurate results.

The audit results should then be reviewed for compliance with HIPAA regulations. At BITS, we rely on our partner, Total Medical Compliance (TMC), for this type of analysis.

Step 2: Results & Recommendations

After your HIPAA experts complete the analysis and present the results, your IT vendor should outline a list of issues that need to be addressed and deliver a set of solutions for your consideration.

Some of these may require an investment into newer or better equipment, including servers or security devices. More often, recommendations will call for updating to more stringent internal user policies, including unique logins for all employees and stronger password protection protocols.

Step 3: Implement the Recommended Solutions 

If you’ve decided that it’s important enough to know about your digital vulnerabilities, you’ll want to finish the job and address found concerns. You just don’t want to be oversold on something you don’t need.

Be sure to ask for explicit explanations of every recommendation presented to you. At BITS, we discuss and review every suggested solution with our clients, so there is no question why we make the recommendations that we do.

Beacon Knows Medical Data Security

Does your medical office need to reassess data security and HIPAA compliance? BITS can help. Reach out to our team today.


Technology is changing constantly. Please note that technical information posted in the BITS blog may be inaccurate if published prior to 2022.