The Intake

Insights for those starting, managing, and growing independent healthcare practices

Cost-effective HIPAA cybersecurity training for medical practices

Discover free and low-cost HIPAA cybersecurity resources to protect your practice from costly data breaches and compliance penalties.

Last updated on 05/12/2025
Physician smiles after reading about HIPAA cybersecurity resources

At a Glance

  • 72% of practices have increased cybersecurity spending as ransomware attacks rise.
  • Free tools like ONC’s Risk Assessment Tool help meet HIPAA requirements.
  • Cost-effective strategies include posters, email tips, and partnering with IT students.

According to the Medical Group Management Association (MGMA), 72% of medical practices increased spending on cybersecurity measures in 2024 — and it’s not surprising why. Cyberattacks continue to affect covered entities, including medical practices of all sizes and specialties. In fact, 42% of medical practices have experienced a ransomware attack, and of those, 48% say it impacted patient data. 

Understanding and complying with the Health Insurance Portability and Accountability Act's (HIPAA’s) cybersecurity requirements — including proposed changes — is critical. However, employee cybersecurity training can be expensive, potentially costing medical practices thousands of dollars each year.

Fortunately, there are a variety of low- or no-cost HIPAA cybersecurity resources to promote cybersecurity on a limited budget. Consider the following cost-effective resources.

Free toolkit

1. Risk analysis 

It's important to conduct a compliant risk analysis to determine your practice's potential risks and vulnerabilities. Failing to do so can result in serious penalties; it cost one surgical group $10,000 in 2023.

The Office of the National Coordinator for Health Information Technology (ONC) provides a free Security Risk Assessment Tool designed to help covered entities comply with HIPAA’s administrative, physical, and technical safeguards and identify areas where electronic protected health information (ePHI) could be at risk. 

Tebra offers independent practices a secure platform to manage their services and sensitive documentation, including ePHI data. Book a personalized demo today.

2. Vulnerability scans and penetration testing

A quick Google search reveals many free HIPAA cybersecurity resources and tools to help medical practices comply. For example, these tools can do tasks such as: 

  • Scanning internal and external networks for known vulnerabilities 
  • Scanning web servers for outdated software and insecure files
  • Performing hands-on penetration testing and exploit testing 

A couple of tools worth mentioning are GoPhish and KnowBe4. Note that proposed HIPAA changes require vulnerability scanning at least every 6 months and penetration testing at least once every 12 months.

3. Multi-factor authentication and encryption of ePHI

There are free or low-cost identity access management tools and multi-factor authentication solutions, as well as built-in encryption features in operating systems, budget-friendly encrypted email services or secure messaging apps, and free TLS/SSL certificates for secure communication. Again, Google can help. 

42% of medical practices have experienced a ransomware attack, and of those, 48% say it impacted patient data.

This is all good news considering proposed HIPAA changes require encryption of ePHI at rest and in transit with limited exceptions. The same is true for the use of multi-factor authentication.

4. General cybersecurity training

Here are some free training options to consider:

In addition, your practice’s outsource revenue cycle vendor may provide low-cost or free cybersecurity training. The same is true for industry associations like the Healthcare Information and Management Systems Society (HIMSS) or MGMA where medical practices may be able to leverage member discounts or bulk licensing for team training. 

Your practice may be able to partner with local colleges or IT students looking for internship projects who can help with free cybersecurity training and developing HIPAA cybersecurity resources, materials, simulations, or workshops. If so, it’s a win-win situation. Your staff receive valuable information, and students gain exposure working in a live healthcare environment. 

To reduce risk, consider making cybersecurity and HIPAA training part of the standard onboarding process for new employees. Record a training video and then reuse it as needed. 

HIPAA noncompliance is not something to take lightly. One orthopedic clinic had to pay $1.5 million back in 2016 to settle systemic noncompliance with HIPAA rules.

5. Additional strategies

There are plenty of other ways to keep staff "in the know" with cybersecurity without investing a lot of money. 

Posters

Consider using posters or visual reminders in break rooms or at the front desk with topics like "Think Before You Click" or "Healthy Cyber Habits."  

Consider using posters or visual reminders in break rooms or at the front desk with topics like "Think Before You Click" or "Healthy Cyber Habits."

Click here and scroll down to "Cyber Posters" for some examples. Infosec offers some additional examples as well. 

Regular emails

Practices can also send a daily or weekly cybersecurity tip (here’s some inspiration) as a standalone email to keep the topic fresh in employees’ minds. 

Learning from other medical practices’ mistakes

There are many lessons to learn from costly mistakes other practices have made. Simply being aware of resolution agreements and civil monetary penalties can help your practice focus its efforts to identify and mitigate vulnerabilities in the most cost-effective ways. 

In addition, as OCR continues its 2024-2025 HIPAA audits, best practices will continue to surface. OCR will also publish an industry report summarizing their findings after the 2024-2025 HIPAA audits are completed. Here's a link to the findings after its most recent audits. 

Ultimate Guide to Practice Automation
Dive into our exclusive guide to practice automation and unlock the secrets to eliminating administrative burdens, boosting financial gains, and elevating patient care.
Get the free guide

Looking ahead

Many of the low-cost or free cybersecurity training opportunities referenced in this article can substantially enhance compliance, risk mitigation, and the capability to maintain the privacy and security of ePHI. By using these cost-effective strategies, your practice and other covered entities not only meet your obligations under HIPAA, but also act in the best interests of patients and providers. 

There are numerous resources available for review, and the earlier your practice begins preparing for current and forthcoming cybersecurity requirements, the more successful you’ll be.

You Might Also Be Interested In

Optimize your independent practice for growth. Get actionable strategies to create a superior patient experience, retain patients, and support your staff while growing your medical practice sustainably and profitably.

Stay Ahead with Expert Healthcare & Billing Insights

Get the latest industry updates, financial tips, and expert strategies — delivered straight to your inbox.

Lisa Eramo, freelance healthcare writer

Lisa A. Eramo, BA, MA is a freelance writer specializing in health information management, medical coding, and regulatory topics. She began her healthcare career as a referral specialist for a well-known cancer center. Lisa went on to work for several years at a healthcare publishing company. She regularly contributes to healthcare publications, websites, and blogs, including the AHIMA Journal. Her focus areas are medical coding, and ICD-10 in particular, clinical documentation improvement, and healthcare quality/efficiency.

Stay Ahead with Expert Healthcare & Billing Insights

Get the latest industry updates, financial tips, and expert strategies — delivered straight to your inbox.