Blog
← Back to Blog
May 30, 2016 general

Memorial Day and the Cybersecurity Lessons of Military Discipline

American flag memorial tribute

This Memorial Day, as we honor those who served and sacrificed, there's something worth reflecting on beyond gratitude. The military's approach to security, with its emphasis on procedure, training, and operational discipline, offers lessons that translate directly to protecting your practice.

Procedure Over Improvisation

The military doesn't improvise its way through security. There are Standard Operating Procedures (SOPs) for everything: who has access to classified information, how sensitive documents are handled, how facilities are secured, how communications are encrypted.

Most small practices are the opposite. Security is ad hoc. Passwords are shared verbally. USB drives float between home and office. Backup verification is "I think it's running." There's no written procedure for handling a suspected breach.

You don't need military-grade SOPs. But you do need written procedures for:

  • How new employees get system access (and how departing employees lose it)
  • How backups are verified
  • How suspicious emails or calls are reported
  • How security incidents are handled
  • How patient data is transmitted securely

Training Is Not Optional

In the military, you don't get to skip training because you're busy or because you think you already know the material. Training is mandatory, regular, and tested. There are consequences for failure.

In most practices, security training is a once-a-year HIPAA refresher that nobody pays attention to. That's not training. That's checking a compliance box.

Real security training means:

  • Showing staff what phishing emails actually look like (use real examples)
  • Testing them with simulated phishing campaigns
  • Walking through what to do if they click something suspicious
  • Reinforcing the message regularly, not just once a year
  • Creating a culture where reporting mistakes is encouraged, not punished

Defense in Depth

Military installations don't rely on a single fence. They use layered defenses: perimeter security, access controls, identification checks, surveillance, and armed response. Each layer compensates for potential failures in the others.

Your practice should think the same way:

  • Perimeter: Firewall and email filtering
  • Access control: Strong passwords and two-factor authentication
  • Surveillance: Logging and monitoring
  • Response: Incident response plan
  • Recovery: Tested backups

No single layer is perfect. But together, they make a successful attack much harder.

Need-to-Know Access

In the military, access to classified information is based on need-to-know. Just because someone has a security clearance doesn't mean they can access everything. Access is limited to what's necessary for their specific role.

In your practice, this translates to the principle of least privilege. Your front desk staff doesn't need admin access to the server. Your hygienists don't need access to financial records. Your billing team doesn't need access to clinical notes beyond what's needed for coding.

Review your access controls. Most practices give far more access than necessary because it's easier than setting up proper permissions. "Easier" isn't the same as "secure."

Honor the Discipline

The men and women we honor today understood that security requires discipline, consistency, and sometimes inconvenience. The same principles apply to protecting the data your patients trust you with.

This Memorial Day, take a moment to appreciate the security discipline that protects our nation, and consider how your practice can apply those same principles on a smaller scale.