There is an increasing number of high-profile incidents involving healthcare organizations falling victim to cybersecurity threats. With the looming risk of being hacked and losing access to patient data, it’s becoming crucial for even small medical practices to prioritize cybersecurity and mitigate both compliance and financial risks.
On this episode of the MGMA Insights podcast, host Daniel Williams spoke with Rana McSpadden FACMPE, CHPC, CPC, a medical practice consultant with SVMIC (the State Volunteer Mutual Insurance Company) in Brentwood, Tenn. McSpadden will be speaking at the MGMA Leaders Conference in Orlando with a session entitled “Leading the Charge: Implementing Effective Cybersecurity in Healthcare.”
An expert in combatting the growing epidemic of cyber threats that impact healthcare practices, McSpadden trains staff to spot and help prevent potentially devastating electronic attacks. SVMIC serves as a professional liability provider for its policyholders while McSpadden provides value-added consulting assistance on tech challenges along with expertise on billing, coding, HIPAA and OSHA issues.
“My goal in the presentation is not to talk about the types of threats that are out there, but more about how to recover from them,” she says about her upcoming Leaders Conference session. “We’re in a day and age where it’s no longer if, but when something’s going to happen, so it’s best to already have a plan in place.”
Cybersecurity is Everyone’s Concern
As McSpadden explains, cybersecurity is no longer siloed with a practice’s IT department, but now involves every staff member being constantly aware of potential threats.
“The practice needs to be thinking about this as a whole, because cybersecurity is a whole system – it’s all the staff, it’s leadership and it’s physicians too,” she emphasizes. “Everybody has to work together to ensure that they are doing their part to secure the electronic data of patients.”
Fortunately, most employees are now aware of ransomware attacks that can disable an organization, or even lock a practice out of its own system until money is paid to hackers. According to McSpadden, the real threat is weaknesses in systems that criminals use to access data, including increasingly sophisticated phishing emails, texts or phone calls designed to trick users into revealing their access credentials.
“We are no longer in the days of (messages with) broken English and misspelled words and all that kind of stuff – they’re now using AI to write these things, or they’re using AI to trick users when they call in to think it’s somebody that they know or work with,” she says. “We’ve had instances where physicians have fallen for a phone phishing scam where the threat actors pretended to be DEA agents.”
As cyber threats continue to evolve, McSpadden says your entire team must be suspicious of everything and remain hyper-vigilant. Ominous-sounding messages may seem to come from legitimate, properly credentialed government entities, but staff need to learn to trust their gut feelings and never email or call numbers included in any suspicious message.
“If something doesn’t feel right, ignore that source and go to the direct source,” McSpadden says. “Government agencies like the DEA are not going to call you and say you’ve got unpaid fines and you gotta pay us a whole bunch of money for penalties.”
Collectively Building a Wall
McSpadden highlights that the most important tech tool a practice can have is an electronic firewall system to help defend against more sophisticated cyber-attacks. Smaller healthcare companies are often targeted specifically because they lack the funds to reinforce their systems, leaving them susceptible to thieves. She suggests working with security organizations that can run vulnerability and penetration tests to uncover existing weaknesses and then plug the potential holes in those existing security systems.
McSpadden says practice culture plays an equally important role in preventing electronic crime. Increased focus from leadership can influence an entire healthcare practice to help create a safer overall approach.
“It’s in the bones of the practice, as part of your mission and part of your values, and you really need to develop that culture,” she says. “The leadership has to head the charge. They’re the ones who have to show ‘I take this seriously, and you should too.’”
Cybersecurity has also become a practice requirement as part of HIPAA regulations, so McSpadden says practices should consider including such training tools in their compliance efforts. For instance, HHS has a voluntary program to help bolster healthcare cybersecurity.
First Steps for Practice Leaders
Armed with a new awareness of the threats, McSpadden says administrators and practice leaders should first review their security risk analysis and ensure any necessary updates are made. She warns that both HHS and OCR have launched a risk analysis initiative and have been imposing penalties for entities that suffer cybersecurity breaches.
“Next, look at your training program. If you’re only educating staff on general HIPAA, you’re not catching the cybersecurity issues. Make sure you have some sort of cybersecurity education, and have routine reminders throughout the year – tell your staff, ‘don’t forget to look for this kind of stuff.’”
McSpadden also suggests practices have a recovery plan as part of their response plan. This includes training on the use of old-fashioned paper charts if an organization is locked out of its electronic data, as well as making sure a practice has sufficient cyber liability insurance, an open line of credit in case of an emergency and robust business interruption insurance.
“I’ve seen several physician groups that have exceeded their policy limits and they are now having to pay out of pocket as a result of the incident … plus the class action lawsuits brought on by patients. So yes, it’s scary out there.”
Resources:
- HHS Voluntary Cybersecurity Program - visit here
- OCR Security Risk Analysis Initiative - read here
- Connect with Rana McSpadden on LinkedIn
- 2025 MGMA Leaders Conference - register here
Additional Resources:
Email us at dwilliams@mgma.com if you would like to appear on an episode. If you have a question about your practice that you would like us to answer, send an email to advisor@mgma.com. Don't forget to subscribe to our network wherever you get your podcasts.
