Increasingly, running a medical practice isn’t just about treating patients, but about caretaking the sensitive data and equipment that accompanies modern healthcare. Medical practitioners are inundated with classified forms of information (medical records, chart notes, insurance and billing details, state identifications, tax records) — all prime targets for cybercriminals — all protected in some form by state and federal law. And the reality is that the small medical office is at an even greater risk than the big hospitals: cybercriminals rightly assume you’ve fewer resources to afford an IT department.

Let’s break down the top five cybersecurity threats facing small medical offices today, and how to defend against them.

1. Phishing Attacks

That “urgent” email asking you to click a link or verify your password? Classic phishing. That unpaid invoice from some @gmail.com account? Think twice. These emails often look legitimate, sometimes even mimicking vendors or government agencies, but they’re trying to scam you. One wrong click can expose your login credentials, defraud you of needed cash, or install malware.

Pro Tip: Tighter technical controls surrounding email are one part of a solution. Train staff to spot suspicious emails, use multi-factor authentication (MFA), and filter inbound mail to block obvious scams. That training is also required by HIPAA.

2. Ransomware

Ransomware locks your files behind a layer of encryption until you pay the attacker. For a medical office, that can mean losing access to patient records, appointment schedules, and billing systems, which can impact reputation and patient care. In some cases, it might mean hefty civil penalties.

Pro Tip: Never pay a ransom. That simply makes you a paying (returning) customer to a cybercriminal. Instead, plan on catastrophe — whether it’s ransomware, an earthquake, or a fire, the safeguard is the same. Keep regular, encrypted, off-site backups and test your recovery process. That way, even if ransomware strikes, you can restore systems without paying the ransom and can get back to work as quickly as possible.

3. Insider Threats

Not all threats to your practice come from outside. Disgruntled employees or even untrained staff can accidentally — or intentionally — compromise data and patient confidentiality. From downloading sensitive files to plugging in infected USB drives or stealing patient information, insiders pose real risks. HIPAA’s Security Ruling forces you to implement adequate safeguards to protect patient data from internal threats as well as external. Sometimes, the bad guys live with us.

Pro Tip: Practice the principle of least privilege. Limit access to sensitive systems, monitor activity logs, and implement role-based permissions so staff only see what they need.

4. Outdated Software

I get it: nobody likes change. That old workstation running Windows 7 (a depreciated operating system), Word 2016 (a depreciated productivity application), or the decade-old medical software you still rely on? They’re comfortable, but outdated systems often lack security patches and have lasting, well-known vulnerabilities, making them easy targets. Hackers actively scan for these vulnerabilities. But beyond that, the Security Ruling obligates you to run software that is monitored for security risks and patched, which requires regular upgrades.

Pro Tip: Keep operating systems, EMRs, and all applications updated. Partner with an IT provider who can schedule updates without disrupting daily operations and keep you on task for asset replacement.

5. Unsecured Devices

Between mobile phones, tablets, and laptops, today’s medical offices are full of devices that can access patient data from anywhere. If those devices aren’t secured, encrypted, or tracked, they become strategic weak points.

Pro Tip: Enforce device encryption on all devices, require strong passcodes, and set up remote wipe capabilities in case a device is lost or stolen. An Incident Response Plan (also required by the Security Ruling) tracks your response to these problems over time, and demonstrates your “due care” obligations.

The Role of Managed IT Services

I feel doctors and medical staff already wear enough hats. Expecting them to also act as cybersecurity experts isn’t realistic. That’s where a managed IT partner like me comes in.

With proactive monitoring, data encryption, HIPAA-compliant systems, and round-the-clock support, IT services that directly address your Security Ruling obligations give you peace of mind. Instead of worrying about cyber threats, you can focus on patient care, knowing your practice is protected. HIPAA’s goal is to implement good risk management practices addressing ePHI. That’s what we all want to do, right? Manage risk more effectively?

Conclusion

Cybersecurity for medical practices isn’t optional; the Security Ruling’s expectations are clear. By understanding these top five threats and putting the right defenses in place, small medical offices in Vancouver can stay compliant, protect patient trust, and keep care running smoothly.

If you’re ready to strengthen your defenses and simplify IT, it may be time to talk with a local healthcare-focused IT consultant who knows the risks and how to prepare for them. Give me a buzz.

R

So you’re a savvy business manager for a medical practice in Vancouver, WA.

Let’s talk about something not-so-fun but super-important: HIPAA compliance with OneDrive. Yes, you want your files available to you, but you also want your Electronic Protected Health Information (ePHI) to be safe and secure, right? In accordance with the Security Ruling?

Here’s the lowdown.

1. OneDrive Can Be HIPAA-Compliant. It Starts with Licensing.

Using OneDrive out of the box is not HIPAA-compliant, and it is certainly not compliant with a Personal Microsoft Account. The road to compliance begins with the right licensing. If you’re looking for HIPAA compliance with OneDrive, you must be using a Microsoft 365 Business Premium or E1, E3, or E5 Plans.

That’s the beginning point: are you using an enterprise-level M365 product? If not, it’s against Microsoft’s T&Cs to store classified forms of information in OneDrive; you shouldn’t be using it for this purpose. Without an enterprise-level plan and proper configuration, you’re not covered, and storing PHI in OneDrive would violate Microsoft’s terms and HIPAA’s Security Ruling requirements.

2. You’ll Need a Business Associate Agreement (BAA).

The Security Ruling requires a Business Associate Agreement (BAA) with any third party handling PHI, including Microsoft. Good news: Microsoft automatically provides a BAA for those enterprise-level plans. Here’s how to check on the BAA status:

How to Check the BAA Status of Your Organization

1. Sign in to the Microsoft 365 admin center with your Global Administrator credentials.

2. Go to Billing > Subscriptions.

3. Find your M365 subscription and click on it.

4. Look for the section titled Optional Privacy and Security Contractual Supplements.

5. Within that section, locate the Office 365 and CRM Online HIPAA/HITECH Business Associate Agreement.

6. If the BAA is available, the system will allow you to accept it, or it will indicate that it is already included with your subscription.

3. What Does the BAA Cover?

Microsoft’s BAA is the legal contract that allows covered entities (such as your healthcare clinic or practice) to use Microsoft cloud services with ePHI. Here’s what the Microsoft BAA covers:

Scope of Services. The BAA applies to certain Microsoft 365/Office 365, Azure, Dynamics 365, and OneDrive for Business/SharePoint Online services that are classified as “in-scope” for HIPAA. Only those services listed in Microsoft’s HIPAA/HITECH offering are covered — using non-covered Microsoft products with PHI could put you out of compliance. Example:

1. Microsoft 365/Office 365. This includes services like Outlook, Teams, SharePoint, and OneDrive when used within a qualifying environment.

2. Microsoft Azure: Various Azure services, such as App Service, Azure Active Directory, and Azure Resource Manager, are covered.

3. Microsoft Dynamics 365: Core Dynamics 365 services are included in the BAA.

4. Microsoft Power Platform: Services like Power BI, Power Apps, and Power Automate can be covered.

5. Microsoft Intune: Intune online services are also covered by the BAA.

Security Safeguards. Microsoft agrees to implement administrative, physical, and technical safeguards to protect PHI that align with the Security Ruling:

1. Data encryption (at rest and in transit)

2. Access controls

3. Data segregation

4. Audit logging

Use and Disclosure of PHI. Upon executing the BAA, Microsoft commits to:

1. Using PHI only to provide the contracted services (not for advertising or unrelated purposes).

2. Not disclosing PHI unless required by law or explicitly permitted by the BAA.

Breach Notification. Microsoft must:

1. Notify you without unreasonable delay if they discover a security breach or unauthorized disclosure of PHI.

2. Provide details to meet your HIPAA Breach Notification Rule obligations.

Subcontractors. If Microsoft uses subcontractors (for hosting, support, etc.), Microsoft must ensure those subcontractors also comply with HIPAA safeguards and obligations.

Customer Responsibilities. This part is crucial. The BAA doesn’t make you “automatically compliant.” You’re still responsible for:

1. Configuring security settings (e.g., MFA, audit logs, DLP).

2. Training your staff on HIPAA policies.

3. Running HIPAA risk assessments.

4. Ensuring you only store PHI in covered services.
   

3. Volume Encryption.

But we’re not done yet. The volume OneDrive writes to on your PC or Mac must be encrypted, typically using either Microsoft’s BitLocker or Apple’s FileVault. You should have asset control records demonstrating the encrypted state of these machines.

4. Access Control.

Machines that use and access ePHI must have strong access controls (passwords, biometrics, etc.) enabled in the operating system. The Microsoft accounts used to access OneDrive should be protected using 2FA/MFA.

5. Monitoring.

One of the core tenets of the Security Ruling is endpoint monitoring. You must be aware of the state of devices (PCs, Macs, phones, tablets) accessing ePHI at all times, including their operating system patching, encryption status, antivirus status, overall mechanical health, and fitness for purpose.

6. Do a HIPAA Risk Assessment.

HIPAA compliance isn’t just about filling lists of checkboxes — it’s about understanding and responding to risks. A proper risk assessment helps you match Microsoft’s plans and add-ons to your needs. Without it, you might end up under‑protected or paying for licensing and Technical Controls you don’t need. Understanding where you are in your compliance journey is essential to know how much further you need to go.

7. Configure Security Settings Thoughtfully.

Here’s where things get hands-on. Depending on your Microsoft plan, you may need to enable or add Technical Controls like:

• Identity rules and permissions.

• Audit logging to monitor who’s doing what and when.

• MDM (Mobile Device Management) and EPM (Endpoint Management)

• Policies for data loss prevention (DLP), session timeouts, and sharing restrictions

8. Training.

You can have the bulletproof tech setup with strong Technical Controls, but if your people don’t know how to use it right, you’re still at risk. Training should cover how to save files correctly, avoid disclosing PHI in file names or links, and be aware of what not to do. Annual training for your staff is a requirement of the Security Ruling anyway.

9. Written Policies & Procedures.

HIPAA requires Administrative Controls (written policies and procedures) that govern how these safeguards work to protect ePHI. If no written material exists, how could you verify management intention against actual practice? Policies and procedures are the administrative framework necessary to communicate management’s expectations and reconcile those expectations against actual practice.

10. Audits and Corrective Action.

It’s essential to introduce audits to identify and address compliance gaps. Those resolutions should be captured as corrective actions, and these activities demonstrate “Due Care” — a legal requirement to demonstrate competency and avoid accusations of negligence.

Have more questions? I’ve got answers.

R

If you’re an attorney in Vancouver, WA, your clients trust you with their most sensitive information: contracts, financials, medical records — you name it — and in 2025, cybercriminals are more interested in that data than ever before.

Legal practices are prime targets because you deal in high-value, confidential material, and hackers know your deadlines leave little room for downtime.

That’s why strong IT support in Vancouver, WA isn’t just about fixing computers. It’s about protecting your reputation, your clients, and your livelihood. Let’s break down five of today’s biggest cybersecurity threats for law firms and how to guard against them.

1. Phishing Attacks

Phishing emails look more real than ever. In 2025, hackers use AI to mimic client writing styles, making malicious emails harder to spot. One bad click could hand over login credentials or install malware.

Pro Tip: No amount of technology can defend you absolutely against this threat. The real solution is found in training the human eye. Train your staff to spot suspicious links, double-check unusual requests, and report anything that feels off. Technically, use email filtering, strong spam controls on your mail server, and multifactor authentication to make stolen passwords less useful.

2. Ransomware

Ransomware encrypts your files and demands payment for the key. For law firms, losing access to case files can be catastrophic. Criminals know you’re under pressure to pay up fast.

Pro Tip: Never pay anyone to access your data, and use data backups as an insurance policy. Maintain secure, off-site backups that are tested regularly. Partner with local IT support that can respond quickly and restore your systems without giving in to criminals. Make the ransom irrelevant: wipe out the computer and restore the data. That’s resilience, and it’s that simple.

3. Insider Threats

Not every threat comes from outside. A disgruntled employee, contractor, or even someone who accidentally mishandles data can cause serious breaches.

Pro Tip: Exercise “least privilege” controls to limit data access based on role, track document changes, and review permissions regularly. An IT partner can help set up proper access controls and monitoring through routine audits.

4. Weak Mobile Security

Lawyers work everywhere — courthouses, coffee shops, home offices — and that mobility can be a gift to hackers if devices aren’t properly secured.

Pro Tip: Device encryption, enforcing strong passcodes, Endpoint Monitoring (EPM), and kill switches are the way to go. Mobile Device Management (MDM) tools can remotely wipe lost or stolen devices.

5. Outdated Software and Systems

Cybercriminals love old software and operating systems because it’s full of known security holes. If your systems aren’t patched, you’re inviting trouble. And guess who hates change? Yeah, attorneys! But don’t let fear stop you from doing what you know is right.

Pro Tip: Keep all operating systems, apps, and plugins up to date. A managed IT provider can automate updates, advise you on asset replacement, and ensure nothing slips through the cracks.

Why Local IT Support Matters

Cybersecurity isn’t one-size-fits-all. It’s not a magic pill. Vancouver-based law firms face unique compliance and confidentiality demands, and local IT support means faster, more tailored solutions. Whether it’s responding to a breach, tightening security, or training your staff, having experts nearby keeps you one step ahead of attackers.

If your law firm’s IT strategy hasn’t had a checkup lately, now’s the time. Don’t wait for a cyber incident to find out where the gaps are. With the right partner, you can keep your cases moving, your data safe, and your clients confident that their trust is well-placed. Ask me how.

R