09/04/2025
Cyber Readiness for Small Practices: Practical Steps That Make All the Difference
From our financial and professional services partner, Scroggins Grear:
Smart, Simple Cybersecurity:
What Every Practice Should Have in Place
For many physicians, cybersecurity feels like something large companies and big hospital systems need to worry about. But according to John Untener, IT director at ScrogginsGrear, that mindset is exactly what makes practices vulnerable.
“Cyberattacks aren’t a question of if, but when. And whether you’re ready when it happens,” he said.
Here’s what providers need to know about today’s threat landscape, and what you can do to protect your practice, your revenue, and your reputation.
The Top 3 Cyber Threats
(And How to Fight Back)
Cyber threats don’t usually kick down the door. They sneak in through a convincing email, a compromised vendor, or a well-meaning employee just trying to get through a busy day.
Here are the top risks small medical practices face right now, and what you can do to stay ahead of them.
1. Phishing: The human factor
Phishing scams are still the number one way cybercriminals get in, and they’re getting smarter. These attacks trick people into clicking unsafe links, handing over passwords, or giving up sensitive info. And with AI tools now in play, scammers can more easily make things look real emails from coworkers, or even mimic a leader’s voice on the phone.
Common red flags:
- Email addresses that almost look familiar
- Out-of-the-blue attachments or “secure” documents
- Messages that create a sense of urgency, like “transfer funds now” or “click here to unlock”
How to fight back:
- Teach your staff to verify anything unusual before hitting reply or opening any attachments
- Show them how to hover over links before clicking to check the real URL
- Run phishing simulations and refresh cybersecurity training regularly
- Set up multi-factor authentication (MFA) so one stolen password doesn’t give full access
2. Ransomware: Lock, threaten, repeat
Ransomware is exactly what it sounds like: hackers lock your data, then demand money to give it back. And lately, they’ve upped the ante by threatening to leak patient records if you don’t pay.
And, unfortunately, smaller practices are easy targets as they tend to have less security but still equally valuable data.
What’s at stake:
- Days or weeks of system downtime
- Canceled appointments and lost income
- HIPAA headaches and mandatory credit monitoring for patients
- Long-term damage to patient trust
How to stay ahead:
- Back up your data every day, and keep at least one copy offline
- Segment your systems (so billing can’t bring down scheduling, and vice versa)
- Stay current on antivirus and firewall updates
- Create a clear recovery plan and rehearse it with your team
3. Third-party vendors: A hidden vulnerability
Most practices depend on third-party platforms for billing, scheduling, or EHR. But if one of those vendors gets hit with an attack, your practice can feel the pain.
In a recent incident, a breach at a scheduling software company shut down more than a dozen medical facilities - none of whom were directly responsible for the breach.
Smart protections:
- Vet your vendors carefully by requiring for proof of certifications, reports of past incidents, and uptime stats
- Get their recovery plan in writing, and ask who covers the costs if they go down
- Ask what their recovery timeline is and what you should do in the first 24 hours in the event something happens
- Make it a habit to always print out two weeks’ worth of scheduling data daily - just in case you need to go analog fast
The Financial Reality
The average cost of a healthcare data breach is estimated at $300–$400 per patient record. If you’ve got 1,000 patient records, that’s a six-figure loss before you even factor in time, disruption, or patient communication.
“Even if they have cyber insurance, that doesn’t address not being able to see patients for two or three weeks because systems are down,” said Untener. “That’s a huge cost.”
It’s also why a recovery plan matters just as much as your security stack.
What To Do: Practical Steps for Your Practice
- Build a recovery plan
If your systems go dark tomorrow, could you still see patients? Practices that print out two weeks of schedules and keep paper forms handy are miles ahead of those scrambling in real time.
- Train your team regularly
A written policy won’t protect you if your staff isn’t paying attention. Cybersecurity works best when it’s part of the daily routine, especially during your busiest times. Get your team into these good habits:
- Spot sketchy emails and links
- Double-check senders before sharing info
- Confirm unusual requests with a phone call
- Slow down, especially during busy seasons
- Assume you’ve already been compromised
It’s not about paranoia, it’s about preparedness. Tools like Credit Karma can flag new credit pulls or accounts opened in your personal name. Or use other monitoring systems like Nav to protect your business. Prevention is great. But detection is equally critical.
Bottom Line: You Don’t Need to Be Perfect. Just Prepared.
You can’t stop every cyberattack. But you can be ready. As Untener put it: “Security isn’t about a perfect defense - it’s about resilient recovery and daily vigilance.”
Want to talk about your own preparations and recovery plan?
Reach out to a ScrogginsGrear advisor. We’re happy to help you stay secure, stay open, and stay in control.