I hate to say it, but your patients’ protected information could be at risk—that is, if you’re not taking the proper precautions to keep it secure. Every day, hackers and cyber criminals use malicious software (a.k.a. “malware”) to target businesses and individuals around the world. Malware has many incarnations—including computer worms, annoying pop-ups, and Trojan horses—but the term generally refers to any software that’s installed without the user’s knowledge or consent. And last year, we saw a serious increase in the use of a different kind of malware: ransomware.

In a ransomware situation, the attacker typically locks the victim’s computer or network—or threatens to make victim’s private information public—unless the victim pays a ransom amount. It sounds like the stuff of Netflix thrillers, but unfortunately, it’s becoming fairly common: according to the US Small Business Association, an average of 4,000 ransomware attacks occurred every day in 2016, and the fallout can have devastating financial consequences. For healthcare facilities, the impact can be particularly disastrous because it’s not just the organization’s own information that is at risk: patients’ protected health records are on the line, too.

So, how can you protect your practice—and your patients’ information—from ransomware and other types of malware? Simple: Use the following tips to keep yourself—and your practice—safe.

The State of Rehab Therapy in 2017 - Regular BannerThe State of Rehab Therapy in 2017 - Small Banner

1. Don’t click on anything suspicious.

The first step to protecting your network is understanding how malware makes its way onto your computer. The most common malware vehicles include:

  • email attachments;
  • removable storage drives;
  • downloaded software; and
  • links in emails, social media sites, or other websites.

This isn’t a complete list; there are many ways hackers can infiltrate your system, and no website is 100% safe from malicious attacks. But, there’s good news: malicious software is often easy to spot—especially if you know what to look for. So, before you open any download, email, or link, scan it for the following telltale signs:

  • The email isn’t addressed to an actual person. Fake emails often use a generic addressee (e.g., “customer” or “member”). Conversely, legitimate emails usually address you by your first or last name, if not both.
  • The text is riddled with typos and grammatical errors. Fake emails often contain grammar and spelling flubs, making them easier to spot.
  • The email or message comes from someone you don’t know. While friends and family can inadvertently send you a malicious link or download, you’re more likely to receive a harmful attachment from someone you don’t know.
  • It asks you for personal information. Do not—I repeat, do not—give out personal information via email. That includes your social security number, bank account information, and passwords. Legitimate businesses should never ask for sensitive information unless you are using their secure websites or apps—or speaking with a company representative in person or over the phone.
  • The URL in the address bar doesn’t match the link you clicked. For example, if the link says “www.webpt.com,” but the address it takes you to is “www.ptweb.com,” then there’s a solid chance something is amiss.

2. Be wary of public Wi-Fi.

Ah yes, there’s nothing quite like grabbing a seat at your favorite coffee spot, logging on to the public Wi-Fi, and catching up on patient documentation, right? Not so fast. Any time you’re working with PHI or other sensitive information, you should always be on a private, password-protected network—no exceptions. This is because public Wi-Fi networks are highly exploitable and vulnerable to malicious attacks. If you must work outside of the office, consider using a VPN service.

Additionally, be mindful about who can access your private networks, and make sure your practice’s Wi-Fi is password-protected. If you offer Internet access to your patients, make sure that connection is separate from the one you use with your work devices.

3. Use protective software.

Hopefully, your practice already uses some kind of antivirus software or antispyware. (If not, drop what you’re doing and go get some.) But, not all software is created equal. So, if you need some guidance, check out this page from Tom’s Guide for a comprehensive look at the best antivirus options.

4. Restrict privileges.

Sometimes, the best way to protect your practice is to set boundaries for what can and can’t be done on work devices. This could mean having your IT person whitelist specific apps or sites in your browser so that they are the only things users can access. Alternatively, you can choose to blacklist specific sites—a much easier, though not quite as effective, option for most end users. You should also consider setting administrative privileges so that only users with admin credentials can download files.

5. Encrypt sensitive data.

If, for any reason, you must save documents containing PHI or other sensitive information to your device, be sure to encrypt and password-protect the files. Fortunately, both Macs and PCs provide easy ways to implement password protection. As for encrypting your data, there are several methods you can use to accomplish this, including compressing files with a program like 7-Zip or encoding them with a platform like BitLocker on Windows or FireVault on Mac.

6. Keep your software up to date.

Cyber threats are ever-evolving, and many software companies regularly update and patch their existing security protocols to help keep you safe. Typically, the software will alert you whenever an update becomes available—and when that happens, it’s crucial that you implement it as soon as possible, especially for any application you use to access sensitive information. This includes point-of-sale programs, Internet browsers, and operating systems such as Windows, iOS, and Linux.

7. Create a security policy.

Just as your clinic’s social media policy helps keep your staff from making HIPAA slip-ups on Facebook, your cyber security policy should arm them with basic information to help them identify potential threats—and outline what to do in the event that your practice falls prey to a cyber attack. But, did you know that as a HIPAA-covered business entity, you’re actually required to have written policies and procedures for protecting PHI? If not—and if your practice doesn’t have any—then we’d recommend creating and implementing some ASAP. Not sure where to start? This article from Malwarebytes offers an in-depth outline for building a cyber security policy. At minimum, this policy should establish:

  • who is responsible for maintaining the policy and training staff on it;
  • who can access protected data;
  • how to report security incidents (and who responds to them); and
  • how your practice will store and protect data.

It’s also crucial that your staff not only receive training on how to adhere to your practice’s cyber security protocol, but also understand why it’s important.


The Internet can be a crazy, scary place. And if you’re a busy clinic owner or practice manager, the threat of a cyber attack might be one of many things that keep you up at night. However, taking the right precautions and having a plan in place—in addition to having a safe, HIPAA-compliant EMR software—should help you rest easier. After all, it’s better to prepare for the worst and hope for the best than it is to leave it all to chance.

  • Digital Critical: Data Protection, Password Security, and Computer Safeguards Image

    articleDec 9, 2015 | 10 min. read

    Digital Critical: Data Protection, Password Security, and Computer Safeguards

    In the past five years, the way rehab therapists perceive—and use—information technology in their clinics has changed dramatically. We used to manage our files with stationary computers and back-room servers we could only access within the office. Now, our teams are mobile, and we use tablets, laptops, and phones to access the powerful cloud applications—including the WebPT EMR —that help us do our jobs. Essentially, the servers of yesteryear have migrated to the cloud.  With this new …

  • The Essential Guide to Disaster-Proofing Your PT, OT, or SLP Practice Image

    articleSep 28, 2015 | 11 min. read

    The Essential Guide to Disaster-Proofing Your PT, OT, or SLP Practice

    September is Disaster Recovery Month, which makes it a perfect time to think about disaster-proofing your practice. If you’re ready to skip this blog because you don’t think a disaster will impact your practice, consider the following factors: Not all disasters are city-wide events, and a disaster of any scale could destroy your practice. These events come in all shapes and sizes, from the sprinklers going off in your clinic and destroying your equipment, to snow storms …

  • articleOct 9, 2012 | 4 min. read

    Nine Questions to Ask Your Cloud Vendor

    Today’s post comes from WebPT copywriters Charlotte Bohnett and Erica Cohen So, you’ve decided to ditch the pen and paper and take your practice into the cloud―maybe through a payroll service , an email marketing tool , or even (hopefully!) an EMR . Now what? As you shop around for a cloud-based vendor to meet your clinic’s needs, be sure to get answers to the following nine questions.   1.) Is this truly cloud-based? Many companies claim …

  • The EMR Software Comparison Workbook for Outpatient Rehab Therapy Image

    downloadAug 10, 2017

    The EMR Software Comparison Workbook for Outpatient Rehab Therapy

    Selecting an EMR for your outpatient rehab therapy clinic can be challenging, especially because not everything on the market is going to meet your needs. That’s why we’ve created this workbook—to help you compare your top three prospective EMRs across every feature, tool, and product necessary to ensure defensible documentation, optimal billing, and successful practice management. If a potential software system doesn’t have one of these line items, you can—and should—do better. Download the EMR Software Comparison …

  • articleJul 12, 2011 | 5 min. read

    5 Cloud Fears Explained

    Technology has become a crucial component to healthcare documentation and management. Many benefits come from Electronic Record keeping including productivity increases, greater security measures as the burden of IT being lifted off of the shoulders of clinic staff. One of the most beneficial technology innovations in healthcare is the development of cloud-based technology. With new “cloud” technology, comes a lot of questions and concerns. Is it proven?  Is it safe?  We see a lot of misinformation around …

  • articleMay 8, 2012 | 3 min. read

    The Future of Plugged In Healthcare

    Have you been captivated by the evolution of patient-centric health? The broader scope of eHealth, mHealth, and digital health (in its beginning stages) is exciting to watch. However, the concept of a truly “plugged in” healthcare system is far from reality. Still, groups like the Center for Connected Health are pushing the industry forward. Pioneering founder, Joseph C. Kvedar, MD, and his center are driving the tech-enabled, patient-centric vision. Recently, Discovery.com featured Dr. Kvedar, along with the …

  • 5 Things Small Practices Need to Know about HIPAA Image

    articleSep 20, 2017 | 9 min. read

    5 Things Small Practices Need to Know about HIPAA

    The Health Insurance Portability and Accountability Act of 1996 —a.k.a. HIPAA—does not distinguish between large and small practices. Fortunately, regulators do. While the law imposes the same requirements upon solo practitioners and large rehab hospitals, the manner in which those requirements are applied may depend upon your practice size. Contrary to what many providers believe, the onus of HIPAA’s requirements won’t hamper your clinical practice. In fact, I’ve found that they actually do the opposite: HIPAA provides …

  • 10 Tips for Social Media Compliance Image

    articleDec 29, 2015 | 3 min. read

    10 Tips for Social Media Compliance

    Your patients are using social media to inform decisions about their own health care, so as a smart healthcare provider, you should be using social media, too. But because of non-compliance concerns, you also must be judicious with its use. Social media is anything but private —and it's practically permanent. Once you put something on the Internet, chances are really, really good it will exist there forever. You may think you deleted that tweet or picture, but …

  • 4 Tips for Implementing an EMR System Image

    articleJan 5, 2015 | 5 min. read

    4 Tips for Implementing an EMR System

    Preparing to implement an EMR system within your practice? Then you’re undoubtedly experiencing some anxiety. After all, it’s quite the change from the pen and pad of paper so many therapists have been using for decades—like, since mullets were cool. And even if you’re starting fresh with a new practice and EMR is all you’ve ever known, the pressure is still on to get this implementation right. Here are our tips for implementing an EMR with ease: …

Achieve greatness in practice with the ultimate EMR for PTs, OTs, and SLPs.