Building a cyber-resilient practice

Jaime Cifuentes, CISSP, C|CISO

Medical practices, like others across the healthcare ecosystem, are embracing digital transformation by shifting more data to the cloud and sharing it with others to improve continuity of care. While these innovations enhance service delivery, they also introduce new cybersecurity risks. Smaller practices, in particular, often lack the skilled staff, tools, and resources to effectively track and manage all their assets, understand where and how data is used, and prioritize what’s most critical to operations. As a result, they struggle to identify potential security issues and address the ones that matter most.

Specialty medical practices are especially vulnerable, making them prime targets for ransomware attacks. Recent data reveals that 46% of such incidents between August and October 2024 were directed at these organizations. The high value of medical records makes them attractive targets for cybercriminals, and the limited cybersecurity defenses in smaller practices increase the risk of data breaches and successful attacks.

However, larger practices face their own challenges. While they may have cybersecurity funding and tools, the ongoing struggle to find and retain skilled security professionals—particularly those knowledgeable about the growing risks of cloud security—remains a significant issue.

Moreover, the current wave of mergers and acquisitions in the specialty provider space is creating additional vulnerabilities. These transitions can expose cracks in security, as new practices with multiple locations and diverse information systems, programs, and digital assets are integrated. Often, these systems lack foundational cybersecurity controls, creating unknown risks that attackers could exploit.

So, what do we do?

The first step in improving cybersecurity is to gain a deep understanding of where your risks and vulnerabilities lie. This can be achieved through a comprehensive Asset-Based Risk Analysis—a crucial process for identifying and addressing potential security threats within your organization.

Many medical practices fall short in their risk analysis, often opting for a high-level assessment of security controls that fails to provide a detailed understanding of specific vulnerabilities. A high-level assessment might evaluate general security measures, but it lacks the depth needed to identify unique risks associated with individual assets. For example, Electronic Health Record (EHR) systems, patient portals, telehealth applications, and imaging systems all have their own specific vulnerabilities that can’t be effectively addressed through a general security audit. Without a more granular approach, organizations are at risk of overlooking critical threats.

Asset-Based Risk Analysis focuses on assessing the unique threats, vulnerabilities, and mitigation strategies tied to each specific IT asset. By identifying how each piece of technology—whether it’s a medical device, software platform, or data storage solution—is used and where its weaknesses lie, organizations can address security gaps more effectively. This approach has been proven to prevent breaches: hundreds of attacks on healthcare organizations have been traced to vulnerabilities that, with a more thorough analysis, could have been avoided. By focusing on the unique needs and risks associated with each asset, practices can pinpoint where additional safeguards or interventions are necessary, significantly reducing the chances of a successful attack.

However, a one-time asset-based risk analysis is not enough. Cybersecurity is a constantly evolving field, and new vulnerabilities can emerge at any time. This is why continuous monitoring is essential. The landscape of cybersecurity threats is ever-changing, and new vulnerabilities can surface due to software updates, changes in network configurations, or even shifts in how data is accessed or shared.

Continuous monitoring ensures that your practice is always aware of its current security posture. It involves actively tracking your network, systems, and assets in real-time to detect potential indicators of compromise or weaknesses that might have been introduced after the last analysis. This ongoing vigilance allows you to catch vulnerabilities early, before they can be exploited by cybercriminals. Whether it’s an outdated software patch, a new type of phishing attack targeting employees, or a misconfiguration in a cloud-based system, continuous monitoring provides up-to-date insights that help you stay one step ahead of potential threats.

In addition to detecting new vulnerabilities, continuous monitoring can help you track the effectiveness of the safeguards you’ve already implemented. By continuously assessing the performance of security tools and controls, you can ensure that they are functioning as intended and make adjustments as needed.

Together, a thorough Asset-Based Risk Analysis and a robust system of continuous monitoring form a dynamic defense strategy. The first allows you to understand and address the specific risks tied to your most critical assets, while the latter ensures that you are always prepared for new and emerging threats. This proactive, ongoing approach is crucial to maintaining a strong cybersecurity posture and safeguarding the sensitive data that your practice holds.

Is this enough?

While conducting a thorough risk analysis and implementing continuous monitoring are crucial steps, they alone are not enough to fully protect your practice. Phishing and other forms of social engineering remain the leading initial attack vectors in cyberattacks, meaning untrained or careless workforce members continue to be the weakest link in a practice's security. Social engineering attacks are increasingly sophisticated, often combining tactics like vishing (voice phishing), smishing (text phishing), and phishing (email phishing) to deceive employees into revealing credentials, clicking malicious links, or granting unauthorized access to the network.

It's essential that medical practice employees understand the gravity of these threats. Cybercriminals dedicate their full-time efforts to tricking individuals into compromising the practice's security. To combat this, you must foster a culture of security within your organization. Every employee needs to recognize their role in safeguarding patient data and maintaining the integrity of the practice’s network. Engaging staff in this way empowers them to be your first line of defense against phishing and social engineering attacks. Regular updates on evolving tactics, coupled with training on what to look for, ensures that employees remain vigilant and well-prepared to spot potential threats.

Conclusion

Cybersecurity is not a one-time fix but an ongoing process of vigilance, assessment, and adaptation. Medical practices, whether large or small, must take proactive steps to understand their vulnerabilities and continuously monitor their systems for emerging threats. By conducting a comprehensive Asset-Based Risk Analysis, practices can pinpoint and address the unique risks tied to their critical assets, significantly reducing their exposure to cyberattacks. But even the most thorough analysis won’t suffice without continuous monitoring to stay ahead of evolving threats.

Beyond technical safeguards, fostering a culture of security within your practice is essential. Your employees are your first line of defense. Regular training, awareness campaigns, and clear communication about the dangers of social engineering and phishing can empower your staff to become active participants in safeguarding patient data and practice operations.

Now is the time to act. Don't wait for a breach to expose your vulnerabilities. Start by prioritizing your cybersecurity strategy, investing in a thorough risk analysis, and implementing continuous monitoring. Empower your team with the knowledge and tools they need to protect your practice’s most sensitive data. Secure your future today by making cybersecurity a cornerstone of your practice's operational resilience.

Reach out to experts, review your cybersecurity posture, and take the necessary steps to mitigate risks before it's too late. Your patients and practice’s future depend on it.

Jaime Cifuentes, CISSP, C|CISO, is director of consulting services for PPM/Ambulatory