Control implemented: Mandatory multi-factor authentication (MFA) for EHR, email, and patient portal access. We saw the biggest reduction in phishing risk after enforcing app-based MFA for all staff who access the optometry EHR and patient portal. Phishing attempts continued, but stolen passwords alone were no longer enough to compromise accounts. Supporting practice: Low-cost, role-based phishing awareness training. Instead of long courses, we delivered short 20-minute sessions using real healthcare phishing examples (fake lab results, insurance updates, patient portal alerts). Staff were also shown exactly how to report suspicious emails. Email hygiene improvements: External sender labeling SPF, DKIM, and DMARC enforcement Blocking look-alike domains used in healthcare phishing Rollout approach: We piloted MFA with clinicians and front-desk staff first, resolved workflow issues, and expanded to all users within 30 days. Impact: Noticeable drop in phishing click-through rates Zero EHR or patient portal account compromises in the past year Higher staff confidence and faster reporting of suspicious emails Author Bio Ankit Rai is a cybersecurity engineer and founder of Codevirus Security, specializing in healthcare, banking, and government cybersecurity. He has conducted security assessments, incident response support, and staff awareness programs for hospitals, financial institutions, and public-sector organizations across India. His work focuses on practical, low-cost security controls that reduce real-world cyber risk without disrupting operations.
We moved beyond authenticator apps to phishing resistant hardware security keys for every staffer that touches EHR data. Or, the bigger patient data breach risk: a staff member tapping 'Approve' on a push notification during a busy clinic day. It's so much easier to entice someone to tap 'Approve' for a ransom demand for stolen data than to compromise a hardware key. The authorities mandated rollout as a patient safety initiative, no 'IT' word was spoken. In 15-minute trainings, we distributed keys appreciating the sense of empowerment attaching a device to their workstations can give to users. This hands-on activities kept help-desk tickets to a minimum and allowed us to achieve 100% adoption by our cutover in 2 weeks. The one-time hardware cost will be negligible next to the financial and reputational cost of even one HIPAA violation.