Episode 1

It does not take a sophisticated hacker to take down a private practice. In this episode, Brandon Seigel sits down with Eve Martin, president and founder of M Qual, a full-stack IT and cybersecurity company serving healthcare practices for over two decades, to talk about the real threats facing private practices today and what it actually takes to protect against them.

Eve opens with a story every practice owner needs to hear. A rehabilitation center was hit by ransomware that began with a single phishing email. A staff member clicked a link that looked like legitimate insurance correspondence, downloaded malware, and within hours every file on the network was locked. Around 19,000 patients had their personal information exposed. The practice faced an OCR investigation and a class action lawsuit, and ultimately went out of business.

The anatomy of the attack is what makes it so instructive. The hackers did their homework: they scraped the practice website for staff names, cross-referenced LinkedIn profiles, and crafted a phishing email personalized enough to look credible. Brandon calls it social engineering. The lesson is not that staff are careless. It is that untrained staff are vulnerable by design.

Eve draws a critical distinction: tech support and cybersecurity are not the same thing. A break-fix IT person is not a cybersecurity professional. Protecting a practice requires layered defenses, including firewalls, endpoint protection, encrypted communications, and staff training. The CISA Small Business Cybersecurity Corner is a free resource worth bookmarking.

Multi-factor authentication (MFA) stands out as one of the simplest and highest-impact protections available. When every login requires a second verification step, the ability for a stolen password to become a breach is dramatically reduced. Eve notes that it still surprises him to see how many practices have not enabled it on systems that hold protected health information.

Brandon and Eve also discuss what to do if you suspect a breach. Eve's answer is unequivocal: do not wait and see. Take the compromised device off the network immediately, contact a cybersecurity professional, and begin documenting. Acting quickly puts you in a far stronger legal position with the Office for Civil Rights and can be the difference between a manageable incident and a practice-ending one.

Key Takeaways

• Phishing attacks, not sophisticated hacking, are the number one entry point for healthcare breaches
• Social engineering makes phishing emails appear to come from trusted sources, including people you know
• Tech support and cybersecurity are not the same. Practices need dedicated cyber protection
• Enable multi-factor authentication on every system that touches patient data
• If you suspect a breach, act immediately. Take the device offline and call a professional

"Amateurs hack systems. Professionals hack people."  -- Bruce Schneier

Ready to take your practice to the next level? Contact Wellness Works Management Partners today.