Blog
← Back to Blog
October 02, 2016 cybersecurity

Cybersecurity Awareness Month: A 31-Day Plan for Your Practice

Digital security shield concept

October is National Cybersecurity Awareness Month. And after the year we've had (Hollywood Presbyterian, Panama Papers, LinkedIn, Equifax, Yahoo), it's never been more relevant.

Instead of giving you another list of scary statistics, let's make this practical. Here's a week-by-week plan that any practice can follow to meaningfully improve security in 31 days. No massive budget required. Just time and attention.

Week 1: Know Where You Stand (Oct 1-7)

Monday: Inventory your systems. List every computer, server, phone, tablet, and network device in your practice. Include the operating system and version for each one. You can't protect what you don't know about.

Tuesday: Identify where sensitive data lives. Patient records, financial data, employee information. Which systems store it? Who has access? Is it encrypted?

Wednesday: Review your user accounts. Disable accounts for anyone who no longer works at the practice. Check for shared accounts (these should be eliminated).

Thursday: Check your backup system. Is it running? When was the last successful backup? Can you restore from it? Do a test restore of one file today.

Friday: Run a vulnerability scan. Free tools like Nessus Essentials can identify known vulnerabilities in your network. Or ask your IT provider to run one.

Week 2: Shore Up the Basics (Oct 8-14)

Monday: Update everything. Push out all pending Windows updates, browser updates, and application patches. This single action closes more security holes than anything else you can do.

Tuesday: Implement a password policy. Minimum 12 characters, no password reuse, mandatory changes every 90 days. Set up a password manager for the practice if you don't have one.

Wednesday: Enable two-factor authentication on email, banking, and cloud services. Make it a requirement, not a suggestion.

Thursday: Review firewall rules. Are they current? Is the firmware up to date? Are the admin credentials changed from default? (See our Labor Day post.)

Friday: Check your Wi-Fi security. Is your practice network using WPA2 encryption? Is the guest network separated from the business network? Change the Wi-Fi password if it hasn't been changed in over a year.

Week 3: Train Your Team (Oct 15-21)

Monday: Send a phishing awareness email. Share examples of real phishing emails (redacted) and explain what to look for: urgency, unexpected attachments, mismatched sender addresses.

Tuesday: Conduct a team meeting on security basics. 15 minutes. Cover: don't click unknown links, verify unusual requests by phone, lock your workstation when you walk away, report anything suspicious.

Wednesday: Run a phishing simulation. Services like KnowBe4 offer affordable phishing tests. Send a simulated phishing email to your staff and see who clicks. No shaming. Just learning.

Thursday: Review physical security. Are server rooms locked? Are backup drives secured? Can visitors access workstations? Are screens visible to the waiting room?

Friday: Document everything you've done this week. HIPAA requires evidence of security training. Keep records of what was covered, who attended, and the date.

Week 4: Plan for the Worst (Oct 22-31)

Monday: Write (or update) your incident response plan. One page. What happens if we get ransomware? Who do we call? What's the first step? Where are the backups?

Tuesday: Review your insurance. Do you have cyber liability insurance? If so, does it cover ransomware payments, breach notification costs, and business interruption? If not, get quotes.

Wednesday: Collect Business Associate Agreements. List every vendor that handles patient data. Verify you have a signed BAA from each one.

Thursday: Run a tabletop exercise. Gather your key staff and walk through a scenario: "It's Tuesday morning and our server is encrypted with ransomware. What do we do?" Discuss each step. Identify gaps in your plan.

Friday: Schedule recurring security tasks. Monthly: review firewall logs and test backup restore. Quarterly: security awareness refresher for staff. Annually: full risk assessment and policy review.

The Point Isn't Perfection

If you follow even half of this plan, your practice will be meaningfully more secure on November 1st than it was on October 1st. You don't need to do everything at once. Pick the items that address your biggest gaps first.

The practices that get breached aren't the ones who missed one item on a checklist. They're the ones who never started the checklist at all.

Happy Cybersecurity Awareness Month. Let's make it count.