A Simple Cybersecurity Win for Your EHR
Protecting electronic health records doesn't require complex overhauls or massive budgets. This article presents two practical strategies that healthcare organizations can implement right away to strengthen their cybersecurity posture. Industry experts share proven methods that balance robust protection with the realities of daily clinical workflows.
Mandate Hardware Keys for Patient Safety
We moved beyond authenticator apps to phishing resistant hardware security keys for every staffer that touches EHR data. Or, the bigger patient data breach risk: a staff member tapping 'Approve' on a push notification during a busy clinic day. It's so much easier to entice someone to tap 'Approve' for a ransom demand for stolen data than to compromise a hardware key.
The authorities mandated rollout as a patient safety initiative, no 'IT' word was spoken. In 15-minute trainings, we distributed keys appreciating the sense of empowerment attaching a device to their workstations can give to users. This hands-on activities kept help-desk tickets to a minimum and allowed us to achieve 100% adoption by our cutover in 2 weeks. The one-time hardware cost will be negligible next to the financial and reputational cost of even one HIPAA violation.
Require App MFA with Targeted Awareness
Control implemented: Mandatory multi-factor authentication (MFA) for EHR, email, and patient portal access.
We saw the biggest reduction in phishing risk after enforcing app-based MFA for all staff who access the optometry EHR and patient portal. Phishing attempts continued, but stolen passwords alone were no longer enough to compromise accounts.
Supporting practice: Low-cost, role-based phishing awareness training.
Instead of long courses, we delivered short 20-minute sessions using real healthcare phishing examples (fake lab results, insurance updates, patient portal alerts). Staff were also shown exactly how to report suspicious emails.
Email hygiene improvements:
External sender labeling
SPF, DKIM, and DMARC enforcement
Blocking look-alike domains used in healthcare phishing
Rollout approach:
We piloted MFA with clinicians and front-desk staff first, resolved workflow issues, and expanded to all users within 30 days.
Impact:
Noticeable drop in phishing click-through rates
Zero EHR or patient portal account compromises in the past year
Higher staff confidence and faster reporting of suspicious emails
Author Bio
Ankit Rai is a cybersecurity engineer and founder of Codevirus Security, specializing in healthcare, banking, and government cybersecurity. He has conducted security assessments, incident response support, and staff awareness programs for hospitals, financial institutions, and public-sector organizations across India. His work focuses on practical, low-cost security controls that reduce real-world cyber risk without disrupting operations.
Maintain Immutable Offline Backups and Tests
Backups that cannot be changed or erased are the best last line against ransomware. Store copies offline or in write-once storage so attackers cannot encrypt them. Back up the full EHR and key systems on a set schedule that meets your recovery goals.
Test restores often to prove you can bring records back fast and clean. Keep a simple runbook so staff know the steps during stress. Set up immutable, offline backups and run a restore test this week.
Segment Clinical Systems into Secure Zones
Network walls stop one device problem from spreading to the whole EHR. Segment the EHR into its own zone with only the paths it needs. Block all other traffic by default and open just the few ports that are required.
Keep vendor tools and guest devices in separate zones so they cannot touch patient data. Watch network logs to catch strange flows that try to cross zones. Isolate your EHR network with strict segmentation now.
Enable Automatic Patch Updates
Automatic security updates close known holes fast. Attackers reuse known bugs, so every day unpatched is risk. Set OS and EHR to pull only security fixes and apply them on a safe schedule.
Use a test device to check key workflows, then roll out to all staff. Keep a rollback plan and watch update logs for errors. Turn on automatic security updates today.
Set Short Screen Lock and Privacy
Unattended EHR screens are an easy way for data to leak. A short auto-lock stops walk-up snooping and cuts risk from lost or stolen devices. Choose a timeout that fits the pace of care and use fast unlock tools like badges or SSO to limit delays.
Add privacy screens in busy areas to block views from the side. Train staff to lock screens before they step away, even for a moment. Set up automatic screen lockouts and timeouts today.
Implement Least Privilege Role Design
EHR accounts should have only the access needed for the job. Too much access turns small mistakes into big breaches. Map roles to tasks, and give each role the least rights that still let work get done.
Add time-limited access for rare tasks, with manager approval and audit. Remove access fast when roles change or people leave. Put least-privilege, role-based access in place now.