How Healthcare Organizations Can Help Protect Patient Data and Manage Cyber Risk

Managing cyber risk in healthcare extends beyond securing technology infrastructure. It requires helping to ensure that designated personnel understand their decision-making authority when patient data, billing systems, third-party vendors, and care delivery operations intersect.

Consider these examples: A clinician is unable to access the charting system between patient appointments. A billing department employee receives a password reset email that appears sufficiently authentic to warrant a click. A physician’s laptop cannot be located following an extended shift. The patient portal begins malfunctioning precisely when telephone lines are already experiencing high volume.

Who determines the appropriate course of action?

For many healthcare organizations, the candid answer may be "whoever identified the issue first." This approach can create significant complications when the stakes are elevated. A well-structured cybersecurity risk program can help organizational leaders establish clear lines of responsibility before such issues reach the front desk.

Begin with the Systems Personnel Rely Upon Daily

Security can become more manageable when leaders maintain visibility into the systems personnel utilize daily. Which tools must clinicians access before seeing patients? What systems do billing departments require to be operational by week’s end? Who possesses the authority to create user accounts, modify access permissions, approve payments, or retrieve patient records?

These may appear to be routine inquiries, yet they prove exceptionally valuable in practice.

Most healthcare organizations will find their practical inventory begins with the following:

• EHR and patient portal systems
• Billing, claims, and payment platforms
• Scheduling and patient communication tools
• Email and cloud productivity accounts (Microsoft 365, Google Workspace, or comparable platforms)
• Shared workstations, laptops, and tablets, including devices at nursing stations and equipment maintained in IT storage areas
• Imaging, lab, referral, and reporting workflows
• Vendors that store, move, or support patient data

Patient data may originate in the EHR, but it often does not remain there. Claims systems, scanned documents, email attachments, referral workflows, appointment reminders, ad hoc spreadsheets created for reporting purposes, and backup systems can all contain patient information in more locations than leadership may realize.

For each critical system, consider documenting the data it contains, the internal owner responsible for it, the vendor providing support, personnel with privileged access, and the recovery time required following an outage. If a system affects patient care, revenue, privacy, or daily communication, it belongs on this inventory.

If no individual has been assigned ownership, that represents a gap—potentially the most significant one.

Ensure the Risk Analysis Serves as a Practical Decision-Making Tool

Healthcare organizations understand that HIPAA compliance is essential. The more challenging aspect involves making a risk analysis perform meaningful work - informing budget decisions, vendor conversations, and prioritization, rather than residing unused in a compliance file.

This is a common occurrence: an organization completes the analysis, files it away, and does not revisit it until the following year's audit preparation.

The U.S. Department of Health and Human Services Office for Civil Rights specifies what a Security Rule risk analysis should address: potential risks to the confidentiality, integrity, and availability of electronic protected health information. The framework requires organizations to identify risks, assess impact, assign risk levels, document the analysis, and integrate it with ongoing management. These are established requirements.

In practical terms, this translates to: what vulnerabilities exist, what would be the impact if exploited, and which issues warrant immediate attention?

A comprehensive cyber risk analysis enables leadership to address questions such as:

• Where's ePHI stored, sent, or accessed?
• Which systems are most important to patient care and operations?
• Who possesses administrative access? (The answer may prove concerning.)
• Which vendors can reach patient data or internal systems?
• What occurs if EHR, email, telephone, or billing systems become unavailable?
• Which risks are sufficiently urgent to require immediate attention?

The deliverable should be a concise priority list that stakeholders actually reference—not a lengthy document that remains unread.

Access Management Is Frequently the Origin of Security Incidents

Healthcare teams experience frequent personnel transitions. New clinicians join the organization. Contractors arrive and depart. Staff members change roles. Vendors require support access. Temporary employees need accounts provisioned quickly, typically when resources are already constrained.

Consequently, access management warrants consistent attention, although it does not always receive the scrutiny it requires.

Begin with accounts that could cause the most significant damage if compromised: email, remote access, administrator accounts, billing systems, payroll, vendor portals, cloud platforms, and EHR access where supported. Then verify whether access provisioning and deprovisioning procedures function effectively in practice, not merely as documented in policy.

The following practices prove beneficial:

• Deactivate accounts promptly upon employee departure. (This represents a common point of failure for many organizations.)
• Maintain administrative accounts separately from standard user accounts.
• Implement multi-factor authentication comprehensively, where technically feasible.
• Verify unusual payment modifications or data requests through a secondary communication channel.
• Designate an individual to confirm that access modifications have been implemented.

These measures may lack visibility, yet they represent the type of foundational work that can help prevent substantial avoidable complications.

Email and Endpoint Security Are More Closely Connected to Patient Care Than They Appear

Within a healthcare organization, email often facilitates scheduling, referrals, billing inquiries, vendor communication, patient follow-up, and internal coordination. Devices occupy a similar position. A workstation at the nursing station, an administrative laptop, a tablet transported between examination rooms—these assets are often more integral to care delivery than most personnel recognize.

Accordingly, email and endpoint security belong centrally within discussions of patient data protection.

The HHS 405(d) Health Industry Cybersecurity Practices framework identifies social engineering, ransomware, loss or theft of equipment or data, insider data loss, and attacks against network-connected medical devices as the principal healthcare threat categories. The recommended cybersecurity practices encompass email protection, endpoint protection, access management, data protection, asset management, vulnerability management, incident response, medical device security, and cybersecurity oversight.

For resource-constrained healthcare teams, the essential question is whether fundamental security measures are being implemented consistently—not whether every tool is optimal:

• Are devices receiving timely patches?
• Are endpoints being actively monitored?
• Are lost or stolen devices encrypted?
• Are phishing reports being addressed expeditiously?
• Are high-risk vulnerabilities being tracked through remediation?
• Do employees understand the appropriate response when encountering suspicious activity?

"We believe so” represents a starting point, but it should not constitute the definitive assessment.

Ransomware Preparedness Must Incorporate Downtime Procedures

Ransomware affects healthcare organizations with particular severity because operational demands do not pause. Patients remain in waiting areas. Staff require access to medical records. Telephone lines continue to receive calls. Prescriptions, laboratory orders, referrals, billing, and scheduling—all functions experience rapid disruption.

A recovery plan that addresses only server restoration is insufficiently comprehensive. The more pertinent question is: how does the organization continue providing patient care while systems remain unavailable?

This necessitates that the organization understand:

• Which clinical and business systems maintain backup copies
• Whether restoration procedures have been validated through testing (rather than merely assumed to function)
• Whether backup copies are isolated from the same attack vectors that could compromise production systems
• Which workflows have documented manual downtime procedures
• Who possesses decision-making authority during an incident
• Which external partners should be contacted first

Backups are essential. Equally important are paper-based workflows, communication trees, vendor contact information, decision-making protocols, and staff instructions. In healthcare environments, recovery is often operational in nature before it becomes technical.

Vendors Must Be Incorporated into the Risk Assessment

Healthcare often operates on third-party systems. EHR vendors, billing companies, claims processors, telehealth platforms, laboratories, cloud services, managed IT providers, medical device vendors, and software integrations may all access sensitive data or connect to critical workflows.

This dependency is not inherently problematic. It does, however, require that vendor risk remain visible to the organization.

At minimum, consider maintaining an inventory of vendors that handle patient data or possess system access. Confirm whether a Business Associates Agreement (BAA) is required under HIPAA and, if so, ensure one is in place. Document what access the vendor maintains, how accounts are secured, the vendor’s incident notification timeline, and contingency procedures if their service becomes unavailable.

Comprehensive questionnaires are not required for every vendor relationship. Prioritize vendors whose failure could disrupt care delivery, billing operations, or patient communication. This likely constitutes a more limited inventory than anticipated.

Maintain a Concise, Actionable Incident Response Plan

During an incident, personnel do not typically require an elaborate plan. They require the correct names, contact information, and decision points—immediately.

A healthcare incident response plan should provide clarity for the critical first hour:

• Who receives incident reports from employees?
• Who has authority to approve system disconnection?
• Who is responsible for contacting IT or cybersecurity support?
• Who is responsible for communicating with staff?
• Where is the contact list maintained if email becomes unavailable?
• How will decisions be documented during the incident?

Validate the plan through testing. A tabletop exercise can be straightforward: simulate a ransomware attack, stolen laptop, compromised email account, or critical vendor outage. Walk through the response for the first hour, first day, and first week.

The exercise will identify gaps. This is the intended outcome. It is preferable to discover deficiencies in a controlled setting than during an actual incident.

In Conclusion

The risk landscape can become clearer when leaders maintain visibility into critical systems, understand where patient data travels, identify accounts with elevated privileges, recognize vendors integrated into operational workflows, and establish plans for incident response.

Security measures will not eliminate every risk. They can, however, provide the organization with a more structured framework for decision-making, patient data protection, and maintaining clinical operations during challenging circumstances. Fundamentally, that constitutes the core objective.

Acrisure Cyber Services can assist healthcare organizations in assessing cyber risk, strengthening managed IT and security operations, supporting HIPAA-aligned readiness, enhancing backup and recovery planning, and identifying practical priorities for patient-critical environments.

To understand where your healthcare organization’s cyber risk may be concentrated, begin with a focused Cyber Risk Exposure Analysis from Acrisure Cyber Services.

^{Note: the information provided is for general informational purposes only and is intended to offer general guidance.  It does not constitute legal, regulatory, cybersecurity or other professional advice.  Organizations should evaluate their own operational, regulatory, and security requirements and consult appropriate advisers when developing or implementing cybersecurity practices.}