You didn’t get into healthcare to think about cybersecurity. That’s not why you built your practice, and it’s not what drives you.
But here’s something worth sitting with: healthcare is the most targeted industry for cyberattacks in the world, and it has been for 14 consecutive years. The average cost of a healthcare data breach reached $7.42 million in 2024, more than any other sector. When those systems go down, patients in crisis can’t be reached. Appointments don’t happen. Staff can’t do their jobs. And the financial and reputational damage can take months, sometimes longer, to recover from.
The encouraging part is that you don’t need a Fortune 500 IT budget to protect yourself. You need the right fundamentals, applied consistently. In a recent webinar hosted by the New Jersey Association of Mental Health and Addiction Agencies (NJAMHA), Chris Knotts, Founder and CEO of PEAKE Technology Partners, walked healthcare organizations through five practical cybersecurity wins they can act on right now. Here’s what he covered and why it matters.
Win #1: Multi-Factor Authentication Is Your Most Important First Step
If there is one control every practice should have in place today, it’s multi-factor authentication (MFA). It’s not optional anymore.
MFA adds a second layer of verification beyond a username and password. Even if a staff member’s credentials are stolen, an attacker can’t get in without that second factor. Microsoft research found that MFA reduces the risk of account compromise by 99.22%, and their data shows that more than 99.9% of accounts that get compromised simply don’t have it enabled.
Here’s a real scenario that illustrates why password protection alone isn’t enough. Someone on your team signs up for a personal service and uses a password they’ve used in other places before. That service gets breached. Their email and password end up on the dark web. Without MFA, your entire practice is now exposed, and you had no idea it happened.
The proposed updates to the HIPAA Security Rule, published in January 2025, would formally require MFA on all systems that store, transmit, or access electronic protected health information (ePHI). Many cyber liability insurance policies already require it. But beyond the compliance requirement, it’s simply non-negotiable in today’s environment. Chris was direct about this in the webinar: MFA and EDR are the two controls he considers absolute must-haves.
Start here: Implement MFA across all systems that access ePHI, including your EHR, email, remote access tools, and cloud platforms. Prioritize administrative accounts first.
Win #2: Patching and System Updates Go Deeper Than You Think
Software vulnerabilities are discovered every day. When a vendor identifies a flaw, they release a patch. The window between when a vulnerability is discovered and when it’s fixed in your environment is exactly when attackers move. Research shows that for critical vulnerabilities, the mean time to exploit has dropped to just five days.
Most practices know they need to update Windows and their primary applications. But patching goes deeper, and this is where a lot of organizations have significant exposure without realizing it.
Consider your printers, your wireless access points, your routers and network switches. These devices have firmware and software that also needs to be updated regularly. And when a manufacturer stops issuing updates for a product, called “end of life,” any known vulnerability in that device becomes a permanent open door. The data here is sobering: 99% of hospitals are currently managing at least one device with a known exploited vulnerability, and 60% of medical devices in use today are considered end-of-life and no longer receive security patches.
The right response isn’t to keep running those devices and hope for the best. It’s to replace them, isolate them from the network, or formally document that you’ve accepted the risk. Unpatched vulnerabilities are directly responsible for an estimated 60% of all data breaches, so this isn’t a minor gap.
This is also where the quality of your IT partner’s toolset matters. No single patching tool covers everything. Patching Windows is one thing. Patching Adobe, Chrome, Java, and the dozens of other applications running on every machine in your office requires multiple tools and consistent attention.
Watch for: End-of-life hardware on your network that’s no longer receiving security updates. If you don’t have a current IT asset inventory, that’s the right starting point.
Win #3: Email Filtering Is Your First Line of Defense Against Phishing
Phishing is the most common entry point for cyberattacks targeting healthcare organizations. More than 90% of all cyberattacks begin with a phishing email, and healthcare is particularly exposed. In 2024, 88% of healthcare employees opened phishing emails, and nearly one in seven clicked on simulated phishing links in security awareness tests.
Something worth understanding here: most phishing is automated. It’s not a person crafting a targeted email for your practice. It’s software running at scale, sending millions of messages at once. The threat has also accelerated quickly. Generative AI tools drove a 700% increase in credential phishing incidents in late 2024 alone, because attackers can now produce polished, convincing content at a scale and speed that wasn’t possible before.
That’s actually useful to know, because advanced email filtering tools work the same way, detecting patterns across millions of inboxes and blocking threats before they ever reach your staff. A strong solution catches the vast majority of automated phishing attempts. It will create some friction occasionally, like a legitimate email getting flagged, but that tradeoff is well worth the protection.
Filtering alone isn’t the full answer, though. A team that can recognize and report suspicious messages is one of your most effective defenses. Regular training and strong filtering work together. Neither replaces the other.
Don’t overlook: Email impersonation attacks, where an attacker spoofs a trusted sender’s address. Modern filtering tools can detect these patterns, but your staff should understand that even a familiar-looking sender can be a threat.
Win #4: Endpoint Detection and Response Stops Threats Before They Spread
Traditional antivirus is reactive. It looks for known threats based on a database of signatures. The problem is that today’s attacks are often designed to evade exactly those signature-based tools.
Endpoint Detection and Response (EDR) is the next generation. It monitors endpoint behavior in real time, looks for patterns that indicate compromise rather than just known malware signatures, and can take automated action. Research shows that properly configured EDR blocks up to 98% of ransomware attacks before encryption even begins. When it detects a threat, it can isolate an infected machine from the rest of your network within milliseconds, stopping the spread before it reaches everything else.
A useful way to think about it: traditional antivirus is a lock on the front door. EDR is an alarm system that locks the door, alerts your security team, and seals off the affected room, all at the same time.
Like MFA, EDR is included in the proposed HIPAA Security Rule updates as a required endpoint hardening control. It’s also a standard requirement for most cyber liability insurance policies. If your practice is still running legacy antivirus on its endpoints, that’s a conversation worth having with your IT partner soon.
Why this matters especially for behavioral health: A ransomware attack doesn’t just disrupt billing. It can take your entire practice offline. When your mission is providing continuous care to vulnerable populations, a multi-day outage isn’t just an operational problem. It’s a patient safety issue.
Win #5: A Real Security Risk Assessment Gives You a Roadmap, Not Just a Checkbox
Here’s where a lot of practices fall short, and it’s not because they skip the security risk assessment. It’s because they treat it as a compliance checkbox rather than an actual risk management tool.
A three-hundred-dollar online tool that generates a report from a series of clicks is documentation. A real security risk assessment identifies actual vulnerabilities in your environment: unpatched systems, misconfigured devices, gaps in access controls. It gives you a prioritized roadmap to fix what’s broken. The proposed HIPAA Security Rule updates would formalize this, requiring annual penetration testing and biannual vulnerability scans as standard requirements, not optional best practices.
A thorough assessment includes both an internal scan and an external penetration test. The internal scan looks at what’s happening inside your network. The external test simulates what an attacker on the outside could access. Together, they give you an honest picture of where you stand.
The goal isn’t a perfect score. The goal is to know where your gaps are, understand the risk each one represents, and make informed decisions about how to address them. That’s what it means to actually manage risk, not just document that you’ve reviewed it.
Recommended cadence: A formal security risk assessment should be conducted at least annually, or any time your IT environment goes through a significant change like new software, new locations, or new staff systems.
Two More Areas Worth Taking Seriously
Cyber Liability Insurance Requires More Than Just Owning a Policy
Cyber insurance has become significantly more sophisticated in recent years, and so has the claims process. Carriers are applying strict scrutiny to whether organizations were following security best practices at the time of an incident. If MFA wasn’t in place, or systems were running end-of-life software, your coverage may not respond the way you expect it to.
Review your policy carefully. Know what your carrier requires of you, and make sure your IT environment meets those requirements before something happens.
Backups Matter More Than Most Practices Realize
A security incident doesn’t have to involve a hacker. A server drive failure with no functioning backup can take a practice offline just as effectively as a ransomware attack.
In one example shared during the webinar, a practice went nearly two weeks without access to their EHR because a drive failed and no verified backup was in place. This wasn’t a cyberattack. It was a hardware failure with no recovery plan. The disruption to patient care was the same either way.
Your backup strategy should be tested regularly. Knowing you have a backup is not the same as knowing you can restore from it quickly.
What a Protected Practice Actually Looks Like
Security isn’t a product you buy once or a project you mark complete. It’s a layered, ongoing practice. Think of it as an onion: each layer of protection reduces the chance that a threat reaches the core, which is your patients’ clinical data and the continuity of your care delivery.
The practices doing this well have a few things in common. Leadership has a clear picture of their security posture. Staff know what to look for and who to contact. And their IT partner communicates proactively, not just when something goes wrong.
None of these five wins require you to become a cybersecurity expert. They require you to partner with people who are, and to hold that partnership to a high standard.
If you’re not sure where your organization stands on any of these areas, that’s exactly where a security risk assessment starts: an honest look at where you are, so you know what it takes to get where you need to be.
