The HIMSS Cybersecurity and Privacy Committee developed the Small Practice Cybersecurity Toolkit as a practical, easy-to-use resource to help healthcare professionals strengthen their defenses without needing cybersecurity expertise.

Access the toolkit: HIMSS Small Practice Cyber Tips

October is Cybersecurity Awareness Month, but safeguarding patient data is a year-round endeavor. Healthcare organizations of all sizes are on the front lines of both patient care and cyber threats.

With limited time, budgets and staff, cybersecurity can feel like one more challenge in an already demanding environment. Yet protecting patient information and maintaining operations are essential to delivering safe, reliable care.

Follow these five key action items from the toolkit that every healthcare organization can take today to reduce risk, protect privacy and keep care running smoothly.

1. Lock It Down. Keep It Private.

Protecting patient information starts with physical safeguards. Even simple lapses, like an unlocked office or a screen visible to the public, can lead to privacy violations or data breaches.

Begin with the basics:

• Lock file cabinets, offices, and devices when not in use.
• Use privacy filters and position monitors away from public view.
• Enforce clean-desk policies and shred documents in accordance with HIPAA.
• Regularly audit who has keys, badges, or after-hours access.

Physical security is the foundation of data security. When you control who can physically see or reach sensitive information, you reduce the chances of accidental exposure or intentional misuse.

2. Have a Plan Before Things Go Wrong

Cybersecurity incidents and downtime can happen without advance warning. Whether caused by ransomware, power failure or technical failure, interruptions to clinical systems can quickly affect patient safety. Preparation is the key to minimizing impact.

Create manual workflows and contingency plans for critical operations such as prescriptions, scheduling and lab coordination. Train staff on downtime procedures and practice regularly through drills or tabletop exercises. Establish redundant communication channels like secure text systems or backup phones, and coordinate with pharmacies, laboratories and hospitals to ensure continuity of care.

When everyone knows their role during an outage, downtime becomes manageable rather than chaotic. A well-tested plan turns a potential disaster into a controlled recovery.

3. Protect the Basics to Stop Big Threats

Most cyber incidents start with basic weaknesses: weak passwords, reused credentials or unpatched systems. Strengthening these areas can prevent the majority of attacks.

Implement FIDO2-compliant, phishing-resistant multifactor authentication (MFA) or robust passwordless authentication whenever possible. If MFA is not yet supported, require long, complex and unique passwords for every account. Lock screens when leaving a workstation or when mobile devices are not in use, secure mobile devices and train staff to recognize and report phishing attempts.

4. Use the Right Tools for the Job

Consumer-grade technology can be convenient, but it often lacks the security, privacy and compliance features required in healthcare. Use software that supports HIPAA compliance and ensure a signed Business Associate Agreement (BAA) is in place with any vendor that handles protected health information.

Avoid using personal email accounts and free file-sharing platforms for clinical communication. Segment networks with VLANs or port security to limit how far an intruder can move if they gain access. Work with IT professionals who understand the healthcare environment, including the need for secure, reliable connectivity in clinical settings.

Investing in the right tools not only protects patient data but also supports compliance and operational resilience.

5. Train Everyone. Test Often.

Technology alone cannot stop every threat. People play a vital role in security. Regular training helps staff recognize, respond to and report suspicious activity.

Teach employees to identify phishing and social-engineering tactics. Run regular simulations, provide feedback and celebrate success. Establish clear escalation protocols so employees know exactly what to do when they see something suspicious.

Reinforce learning with short, frequent refreshers rather than a single annual training. Make cybersecurity part of everyday clinical practice, not an afterthought. A well-informed team reduces risk across the organization.

Enablement: Building a Strong Cyber Culture in Healthcare

The following best practices can help healthcare organizations strengthen their ability to operationalize and sustain strong cybersecurity.

1. Building a Strong Cyber Culture in Healthcare

Each organization’s cybersecurity culture needs to be strong in order to achieve resilience. The following best practices can help organizations ensure their people have awareness, accountability and readiness for cybersecurity incidents.

2. Leadership Commitment

Cybersecurity should be viewed as a strategic priority and a component of patient safety. Leadership must allocate the necessary resources of people, funding and technology to support a resilient program.

3. Security Champions

Designate a security champion within each department or facility. These individuals promote good security habits, serve as the first point of contact for questions and help identify issues before they escalate.

4. Regular, incremental learning

Short, focused lessons are often more effective than long sessions. Micro-learnings, short videos or tip-of-the-week messages can keep security top of mind. There are free resources available such as the Cybersecurity for the Clinician video series that make ongoing education easy to integrate.

5. Vendors, contractors and clinical partners

Include vendors, contractors and clinical partners in your training and contingency planning. Clarify expectations for data handling, incident reporting and HIPAA compliance. A coordinated approach reduces risk across the healthcare ecosystem.

6. Keep It Practical and Engaging

Make cybersecurity relatable to the work clinicians and staff do every day. Use realistic examples, games or scenario-based exercises to make learning interactive. Encourage questions and feedback, and continually improve your program based on what you learn.

---

By combining practical safeguards with leadership engagement and ongoing enablement, organizations can build a culture where every member of the workforce is accountable for doing cybersecurity right and protecting patients and their data.

Cybersecurity and patient safety go hand in hand. The HIMSS Small Practice Cybersecurity Toolkit provides practical, low-cost steps that any healthcare organization can take to build resilience, protect patient privacy, and ensure continuity of care.

“Protect the data, protect the patient,” says Lee Kim, HIMSS Senior Principal, Cybersecurity and Privacy.