Cybersecurity and Risk Assessments

What is Cybersecurity?

Cybersecurity is the protection of data and systems in networks that connect to the Internet. Physicians and practices should consider the following to protect themselves against unauthorized access to their data and systems:
  1. Use strong passwords and change them regularly.
  2. Install anti-virus software.
  3. Train employees in key areas – Acceptable use, password policies, defenses against social engineering, and avoiding phishing attacks.
  4. Create security policies and make sure all employees commit to them.
  5. Encrypt all records and confidential data to be more secure from cyber attack.
  6. Perform frequent backups and keep a copy of recent backup data off premises.
  7. Defend your network behind your firewall and make sure you can block rogue access.
  8. Deal with the bring-your-own-device dilemma by standardizing security protocols.
  9. Control access to PHI.
  10. Control access to devices.

Another option is to hire a company to do the above for you. reviewed some of the top healthcare cybersecurity companies.

How to Implement a Cybersecurity Program

What is Ransomware

Ransomware is a form of malware that locks computer files with encryption, preventing the user from gaining access to their data. A security key must be used to decrypt locked data. That security key is held by the attackers, and is only released when a ransom is paid.

If you have cybersecurity questions, call TMA's Health Information Technology Department at 800-880-5720, or send an email to

How to Report a Cyber Incident to the Federal Government

HHS defines a computer security incident as “a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard computer security practices.” If you suspect an information security or privacy related incident, contact your OPDIV Chief Information Security Officer or the HHS Computer Security Incident Response Center (CSIRC). The HHS CSIRC can be reached at or 866-646-7514. To view more information, visit HHS Incident Reporting, Policy and Incident Management Reference.

My entity just experienced a cyber-attack! What do we do now?.

What is a Risk Assessment?

A risk assessment involves identifying the various information assets that could be affected by a cyber attack (such as hardware, systems, laptops, customer data, intellectual property, etc.) followed by identifying the various risks that could affect those assets.

How to Conduct a Risk Assessment

The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that covered entities conduct a risk assessment of their healthcare organization. A risk assessment helps your organization ensure it is compliant with HIPAA’s administrative, physical, and technical safeguards. A risk assessment also helps reveal areas where your organization’s protected health information (PHI) could be at risk.
1. Download the Security Risk Assessment Tool tool onto your Windows computers and laptops or search the Apple Store for "HHS SRA Tool" on the iOS iPad. 
2. Refer to the SRA Tool 3.2 User Guide for step-by-step instructions on how to use the tool.

Tool Kits & Resources:

Visit our HCMS HIPAA and the HITECH Act page for more information on Texas Privacy Law. 

Insurance and Liabilities

One of the greatest threats to physician practices is the increasing number of stolen laptops, and other electronic devices which causes a security breach for the entire organization. In addition to this, limited access to hospital portals and EHRs can create password sharing among employees, which in turn creates a greater risk for PHI to be compromised on the practice end as well as putting the hospital at risk for a security breach.