In a medical practice, a breach isn't a data problem. It's a patient-safety event.
Patient records move through your EHR, your email, the front desk's computers, your billing and lab vendors, and your backups. The EHR vendor secures the EHR. Nobody else is watching the rest of the practice around it — until something goes wrong and appointments stop, charts lock up, and patients are the ones waiting.
30 minutes, in plain English. No jargon, no scare tactics — just a clear read on where you stand.
Why ransomware crews target healthcare on purpose
It isn't random. A hospital can't wait a week to reschedule surgery, and neither can a practice with a full schedule and patients who need refills, results, and appointments today. That pressure is exactly what a ransomware crew is counting on — a practice that can't afford downtime is a practice more likely to pay to end it.
Patient records don't expire the way a stolen credit card does. A Social Security number, a diagnosis, an insurance ID — that information stays valuable for years, which makes it worth stealing even without a ransom attached.
And the practice's exposure isn't the EHR alone. It's the EHR plus email, plus the front-desk computer that's been running the same login since the office opened, plus the billing service and the lab you send results to, plus backups nobody has tried to restore from. The EHR vendor secures its own product. Nobody signed up to secure the rest.
Patient data doesn't stay inside the EHR. Here's where it actually goes.
EHR and portal access
Who can log in, from where, and with what protection on that login. A shared password at the nurses' station is a door with no lock on it — the EHR vendor built the lock, but someone has to use it.
Referrals, lab results, insurance correspondence, and password resets for everything else all pass through the practice's inbox. An attacker who gets into email rarely needs to touch the EHR directly.
Front-desk and provider devices
Check-in computers, provider laptops and tablets, the workstation in the back office — unmanaged and unmonitored, each one is a way in that has nothing to do with how good your EHR password policy is.
Vendors and business associates
Billing services, labs, imaging centers, answering services — anyone who touches patient data on your behalf extends your exposure to their security, whether or not anyone has reviewed it.
Backups
The plan for the day everything else fails. A backup that has never been test-restored isn't a backup — it's an assumption, and ransomware is what tests it for you.
Signs it's time
- Front-desk staff share a login to the EHR or practice management system.
- Providers check email or charts from personal phones and laptops with no oversight.
- Nobody can say when your backups were last tested with an actual restore.
- You've never reviewed the security practices of your billing service, lab, or answering service.
- MFA is on for some systems, off for others, and nobody's tracking which.
- Your cyber insurance renewal asked security questions the practice had to guess at.
Two or more sound familiar? That's exactly the practice this work is for.
The Droptine plan, for practices
Find the exposure
We trace where patient data actually moves — EHR access, email, the devices at check-in and in exam rooms, and every vendor with a login or a data feed into the practice. Most of what we find never shows up on an EHR security checklist.
Lock down what matters
Access and email come first, since they're the fastest way into everything else. From there: managed devices, vendor agreements reviewed, backups tested against a real restore.
Maintain the program
Staff turn over, vendors change, new devices show up at the front desk. We keep controls, monitoring, and documentation current so the practice isn't relearning its own exposure every year.
What working with Droptine covers
- MFA and access controls on the EHR, practice management system, and email
- Managed, monitored devices at the front desk and for providers — with a plan for personal devices
- Review of business associates and vendors: billing, labs, imaging, answering services
- Backups that are protected, tested, and confirmed to restore before you ever need them
- HIPAA-aligned policies and documentation that describe real controls, kept current
- Monitoring and maintenance after setup — because staff, vendors, and systems change
Common questions
Isn't our EHR vendor handling security?
The vendor secures the EHR itself — the software, its hosting, its own access controls. It doesn't manage the front-desk computer that logs into it, the email account that receives your patient correspondence, or the billing service you send claims to. Those are the practice's responsibility, and they're usually where the exposure actually is.
What does HIPAA actually require of us?
In broad terms, the HIPAA Security Rule expects practices to safeguard patient health information with reasonable administrative, physical, and technical controls, and HHS has breach-reporting expectations if PHI is exposed. Exact requirements depend on your practice's size, systems, and how PHI moves through it — this page describes the shape of the obligation, not a substitute for reviewing your specific situation.
We're a small practice. Are we really a target?
Small practices hold the same patient records as large health systems, usually with no dedicated security staff watching over them. That gap is exactly what attackers look for. Size doesn't make a practice invisible — it just means fewer people are positioned to notice a problem before it spreads.
Will security work slow down the front desk or patient flow?
Done right, it shouldn't be something patients or staff notice day to day. MFA adds a few seconds to logging in. Managed devices run in the background. The heavier work — vendor review, backup testing, documentation — happens behind the scenes, on a schedule that fits around your patient hours, not during them.
We already have an IT person. Why isn't that enough?
Most practice IT support is built to fix what breaks — a printer, a slow login, an EHR glitch. Security is a different job: deciding who can access what, watching for misuse, testing recovery, keeping documentation current. We can work alongside your current IT or handle both. Either way, someone needs to own security by name, not as a side task.
Protect patient trust the way your patients assume you already do.
They handed you their health records. A 30-minute conversation will tell you whether the systems holding that trust deserve it.