Understanding Cybersecurity Threats

Understanding the types of threats that target organizations helps you recognize warning signs and respond correctly. These are the most common threats affecting medical offices today:

• Malware is malicious software designed to damage, disrupt, or gain unauthorized access to computer systems — it includes viruses (self-replicating code that attaches to files), worms (self-propagating malware that spreads across networks without user action), trojans (malware disguised as legitimate software), spyware (software that monitors your activity and sends data to attackers), and adware (software that generates unwanted advertisements). Most malware enters through email attachments, unsafe downloads, or exploiting unpatched software vulnerabilities.
• Ransomware is a particularly damaging form of malware — it encrypts all files on an infected computer and any network drives it can reach, then demands payment (usually in cryptocurrency) to provide the decryption key. Healthcare ransomware attacks have shut down hospitals for weeks, delayed patient care, and cost millions of dollars. In 2023, ransomware attacks on healthcare organizations in the US averaged over $1 million in ransom demands and significantly more in recovery costs. Backups are the primary defense — ransomware cannot encrypt files that are properly backed up offline or in cloud storage with version history.
• Data breaches occur when unauthorized parties gain access to protected information — in healthcare, this typically means patient PHI (names, diagnoses, insurance information, medical records). Breaches may result from malware, stolen credentials, lost devices, or unauthorized insider access. HIPAA requires healthcare organizations to notify affected patients and the Department of Health and Human Services within 60 days of discovering a breach affecting 500 or more individuals.
• Insider threats come from people with legitimate access who misuse it — either maliciously (intentionally stealing patient data to sell) or negligently (accidentally sharing information incorrectly). Insider threat mitigation includes access controls (only accessing what your role requires), activity monitoring (IT systems that log unusual access patterns), and training (ensuring staff know what authorized use looks like).

Cybercriminals do not always attack computer systems directly — they frequently target the humans who use those systems, because tricking a person is often easier than breaking a security control:

• Phishing is the most common attack method — attackers send deceptive emails designed to look like legitimate communications from trusted sources (Microsoft, your bank, the IRS, a vendor, a physician). The goal is to get you to click a malicious link or open an infected attachment. In a medical office, common phishing lures include fake HIPAA compliance notices, fake insurance portal login pages, and fake IT security alerts.
• Spear phishing is a more targeted version of phishing — instead of sending a generic mass email, attackers research specific individuals and craft emails personalized to them. A spear phishing email to Lakeside Medical Associates might reference the practice's address, the name of a real provider, or a recent event — making it appear far more legitimate than a generic phishing email.
• Vishing (voice phishing) uses phone calls — attackers call claiming to be from IT support, the IRS, a vendor, or even your clinic's management, and attempt to obtain passwords, login credentials, or sensitive information verbally. Legitimate IT support will never call you and ask for your password over the phone. If you receive such a call, hang up and call IT directly using the number you already have on file.
• USB drops — attackers leave infected USB drives in parking lots, waiting rooms, or mail them to offices labeled 'Payroll Data' or 'Important Records.' When plugged in out of curiosity, the USB installs malware automatically. Never plug an unknown USB drive into a work computer. Report any unexplained USB drives found in or near the office to IT without plugging them in.

Knowing what to do immediately after suspecting or confirming a security incident is as important as preventing incidents in the first place:

• Stop — do not continue using the computer or account if you suspect a compromise. Close suspicious applications but do not power off the computer (forensic evidence may be preserved on running systems). Disconnect from the network if you can (unplug ethernet or disable Wi-Fi) to prevent further malware spread.
• Report immediately — notify your supervisor and IT as soon as possible. Do not wait to see if the problem gets worse or try to fix it yourself unless specifically authorized to do so. In a HIPAA environment, early reporting is legally required in breach scenarios.
• Document what happened — write down (on paper, not on the potentially compromised computer) exactly what you observed: what email or website prompted the concern, what you clicked, what messages appeared, and at what time. This information is critical for IT's forensic investigation.
• Do not communicate about the incident via the potentially compromised system — if your email may be compromised, use a phone or another device to contact IT. Using the compromised email to report the breach may alert the attacker.