HACKED: Health Care Held Hostage - Arming Your Business to Defend Against Cyberattacks – Part 2

Posted on in Process Improvements, Cybersecurity

By Jeremy Kauten, CIO and Sr. VP of IT, VGM Group, Inc.

Note: This is the second of a two-part series about the current state of affairs in cybersecurity, how to determine levels of risk to your company and patient data, and best practices to help protect your business from hackers. Click here to view Part 1 of this series.   

Identifying Your Greatest Risk

Most, if not all health care providers would agree that their greatest assets are employees. When it comes to patient care, they’re probably correct.

When it comes to cybersecurity, however, employees are the biggest threat to data security. According to McAfee, 43 percent of all company data loss or breaches are caused by employees. By simply clicking on an attachment or link in a malicious email, using unsecured Wi-Fi with their mobile device(s), or misplacing documents, employees can inadvertently open a business up to a significant financial loss. 

Alarming statistics confirm why hackers target small businesses. According to the Small- to Medium-size Business Threat Awareness Poll, 67 percent of small- to medium-size businesses do not use web-based security, and 61 percent do not use antivirus on all computers. Phones, tablets, computers, and laptops typically access the infrastructure and at some point contain patient data or access to patient data.

Software updates and proper protection on devices do not require an IT expert and are crucial to protecting company and patient data. 

Security experts agree that a business’s computer systems and networks, or infrastructure, must be addressed in a cybersecurity program. Protect your infrastructure by using proper firewalls, anti-virus, web filtering, email filtering, access levels, as well as by making smart decisions about the software you’re using to store patient data.

Software systems, such as billing or patient management software, are another element of risk. Most providers use third party, cloud, or hosted software and rely on their software vendor for security.

When using a third party-hosted software, two-factor authentication should always be turned on when available. This is one line of defense, but don’t stop there. Networks need to be able to protect files locally and software that is hosted elsewhere. 

Best Practices to Protect Your Business  

In today’s environment of data-driven business solutions, it has never been more important for small-business owners to be proactive in understanding threats to their business and invest in data breach protection. 

Cybersecurity threats are an ever-evolving problem. Health care providers should be creating and updating IT policies to address newer technologies and the increasing cybersecurity threats. Policies should be reviewed at least annually, and any revisions should be communicated to staff members.

Technology is an intimidating and complicated business tool. Coupled with other day-to-day business practices, it’s difficult for the average health care provider to keep up on the latest threats.

Hiring third-party security experts to expose known threats and offer best practices is necessary for health care companies. There are companies that specialize in ongoing penetration tests where a white hat hacker (an ethical computer hacker or security expert) will attempt to breach a system. Following the test, the vendor will provide a detailed report of vulnerabilities. This report can serve as a resource for developing and implementing security measures to protect data.   

Training staff is vital to protecting data. Employees who are trained on how to handle potential cyber risks can protect a company by carrying out a secure culture. If we compare this to TSA, which educates travelers to keep an eye out for suspicious behavior, employees should be expected to do the same to protect a business from suspicious activity.

A number of easy-to-use and trackable training programs are available to help educate staff. Regular training helps to build an additional line of defense to ensure company and customer data remain secure and protected from hackers and other online threats.

A business’s billing software likely houses all pieces of valuable patient data. Most software allows for IP lockdown so that it can only be accessed via the company’s protected network or offsite through a secure VPN (virtual private network) connection. And again, when using a third-party hosted software, two-factor authentication should always be activated.  

Finally, health care providers should consider purchasing a Cyber Liability insurance policy. Cyber policies can cover a business’s financial liability for a data breach. During the process of acquiring a cyber policy, the insurance company will typically go through a list of best practices with you and can even offer additional training resources.  


Cybersecurity is something that should be taken very seriously. Hackers work full time to find ways to penetrate a business’s infrastructure to capture company and patient data. They will do anything they can to gain financially from IT oversight. Don’t risk it all. Arm yourself with tools and practices to protect your business from online threats.  

For more information or additional resources, visit

About the Author

Jeremy Kauten serves as chief information officer and senior vice president of Information Technology for VGM Group, Inc. His responsibilities include leading VGM’s corporate Information Technologies department, coordinating optimization of technology, strategizing on how to accelerate success across VGM’s 28 business units and spearheading the technology message to share with the membership groups.

Jeremy’s energy, leadership and ability to bring people together augment the development of systems and technology across VGM. He has developed and implemented thorough internal and external training programs to educate management, staff and customers alike to ensure company and customer data remain secure and protected from hackers and other online threats. Jeremy has presented at various health care tradeshows and state association meetings throughout the U.S.  

Contact Information

Jeremy Kauten
CIO and Sr. VP of IT, VGM Group, Inc.
1111 West San Marnan Drive
Waterloo, Iowa 50701
[email protected]