skip to main content


Cybersecurity for Medical Practices: Addressing the HIPAA in the Room

March 27, 2023

Cybersecurity attacks, such as malware, phishing emails, and password attacks, are a growing threat to patients and medical practices. Cyber attacks can significantly disrupt patient care, including by exposing confidential data, interfering with access to records, and/or damaging operations systems. The HIPAA Security Rule has long required medical practices to develop and implement reasonable administrative, physical and technical safeguards to protect the confidentiality, integrity and security of electronic protected health information (ePHI). However, medical practices should also evaluate their risks and exposures beyond ePHI and take proactive measures to mitigate risk and protect the practice and its patients. For this purpose, the following is a summary of some of the key steps medical practices can take to prevent and mitigate the risk of cyber attacks.

Risk Analysis

The HIPAA Security Rule requires medical practices to conduct a risk analysis to identify vulnerabilities and weaknesses within the medical practice that can impact the confidentiality, integrity and availability of ePHI maintained by the medical practice. Although the HIPAA Security Rule does not impose a specific methodology, the risk analysis must be commensurate with the medical practice’s size, complexity, and capabilities. In addition, while the HIPAA Security Rule requires a risk analysis only with respect to ePHI, medical practices should also assess risks and vulnerabilities that can impact all areas of the practice, not just ePHI.

Written Policies and Procedures

After conducting a risk analysis, medical practices must establish and implement written policies and procedures which incorporate the following data privacy and security safeguards:

  • Administrative Safeguards: These are administrative actions, policies and procedures to manage the selection, development, implementation and maintenance of security measures to protect the practice’s ePHI and other data and to manage the conduct of the medical practice’s workforce.
  • Physical Safeguards: These are the physical measures, policies and procedures to protect a medical practices’ electronic information systems (such as electronic medical record or e-prescribing systems) and related buildings and equipment from natural and environmental hazards, but also unauthorized intrusion, such as cyber attacks.
  • Technical Safeguards: These are the technology and policies and procedures for its use that protect the practice’s ePHI and other data and control access to it. For example, medical practices may implement a policy which utilizes proper encryption software, such as OpenPGP (Pretty Good Privacy).

To assist medical practices, the Office of the National Coordinator for Health Information Technology (ONC) and the HHS Office for Civil Rights (OCR) have created a HIPAA Security Risk Assessment (SRA) Tool which medical practices can use for purposes of conducting a risk analysis and implementing appropriate polices and procedures consistent with the HIPAA Security Rule.

Read the complete article on page 6 in the First Quarter 2023 edition of the Detroit Medical News.