For a practical next step, review our private infrastructure services, browse the medical practice FAQ, and explore the full WhyNotDoc security blog.
In March 2026, a San Antonio pediatric practice lost $340,000 to a business email compromise attack that originated with a single phishing click. The staff member who clicked had completed the practice's annual HIPAA training three months earlier. The training included the standard warnings: look for suspicious senders, hover over links, verify unusual requests. But when a convincing email arrived claiming to be from the practice's EHR vendor requesting a routine password reset, the training failed to prevent the click.
This incident illustrates why traditional annual security training is no longer adequate. The 2025 KnowBe4 Phishing by Industry Benchmarking Report found that healthcare and pharmaceutical organizations have the highest baseline phishing susceptibility of any industry at 41.9% of employees likely to fall for social engineering or phishing attacks. However, the same report demonstrated that practices implementing ongoing security awareness training see an 86% reduction in phishing risk within 12 months, dropping the susceptibility rate to just 4.1%.
Most Texas medical practices approach security training as a compliance checkbox: require staff to complete a 30-minute online module once per year, document completion, and move on. This approach satisfies the training requirement but fails to change behavior in meaningful ways.
The problem with annual training is that it provides knowledge without habit formation. Staff may understand that phishing is dangerous and that they should verify unusual requests, but months later, when under time pressure and facing a convincing attack, that knowledge is not accessible in the moment of decision. Security awareness requires continuous reinforcement to become automatic behavior.
Moreover, annual training content is often generic, not tailored to the specific threats facing medical practices or the actual workflows of different staff roles. A billing coordinator faces different phishing risks than a clinical nurse, yet both receive identical training modules. The Austin practice that lost $340,000 discovered that their training had never addressed the specific vendor impersonation tactics used in the attack.
Effective security awareness in 2026 requires a continuous training model that reinforces security behaviors throughout the year through multiple touchpoints:
Baseline Testing: Begin with a simulated phishing campaign to establish the practice's current vulnerability baseline. This testing should use realistic scenarios based on current threat intelligence, not obvious fake emails that create false confidence. A Houston dermatology practice discovered that 38% of staff clicked simulated phishing links before implementing their new training program.
Short Monthly Modules: Replace the annual marathon session with brief 10-15 minute modules delivered monthly. These modules should focus on specific, timely topics: AI-generated phishing, deepfake voice calls, vendor impersonation, or social media harvesting. Monthly delivery keeps security top of mind without overwhelming staff.
Role-Based Scenarios: Tailor training content to specific job functions. Front desk staff need training on verifying caller identity and protecting patient information during phone conversations. Billing staff need training on recognizing wire transfer fraud and insurance impersonation. Clinicians need training on securing mobile devices and protecting credentials.
Simulated Phishing Campaigns: Conduct regular simulated phishing tests that reflect current attacker tactics. When staff click simulated links, they should receive immediate, constructive feedback explaining what indicators they missed and how to spot similar attacks. A Fort Worth practice reduced their click rate from 24% to 2% over six months using this just-in-time education approach.
Executive Modeling: Physicians and practice leadership must visibly participate in training and demonstrate security behaviors. When staff see leadership following verification protocols, they feel empowered to do the same without worrying about offending demanding callers or senior physicians.
While staff training addresses the human attack vector, medical device patching addresses a technical vulnerability that threatens patient safety and data security. The Texas HHSC directive issued April 1, 2026, specifically requires healthcare facilities to assess medical devices with network functions for potential cybersecurity risks and align with FDA guidance.
The FDA cybersecurity guidance referenced in the HHSC directive identifies critical vulnerabilities in patient monitoring devices, including the Contec CMS8000 and Epsimed MN-120, which could allow unauthorized remote access. These devices, and thousands like them deployed across Texas medical facilities, often run embedded operating systems that cannot receive traditional security updates.
The Patching Gap: A 2026 study found that 53% of connected medical devices and IoT devices in healthcare have at least one known critical vulnerability. More alarmingly, 8% of hospital imaging systems have known exploited vulnerabilities tied to ransomware attacks. These vulnerabilities persist because medical devices cannot be patched using standard IT processes.
Vendor Coordination Requirements: The HHSC directive explicitly requires facilities to coordinate with manufacturers and vendors to identify and mitigate vulnerabilities. This coordination is often where patching fails. Medical device vendors may delay providing patches, require on-site technician visits for updates, or charge fees for security updates that should be included in service contracts.
In February 2026, a Lubbock imaging center discovered that their CT scanner, purchased in 2019 and running Windows 7, had become infected with malware that spread to their network through an unpatched vulnerability. The device had been air-gapped originally but was later connected to the network to enable DICOM image sharing with referring physicians.
The imaging center's IT staff had never included the CT scanner in their vulnerability scanning because they assumed it was a closed medical device, not a Windows computer. The scanner had not received security patches in over three years because the vendor required a $4,500 service call to perform updates, and the practice had repeatedly deferred this expense.
The resulting breach required notification of 6,200 patients and cost the practice $187,000 in direct response expenses. The incident illustrates how the intersection of outdated device operating systems, vendor service costs, and misunderstanding of device architecture creates exploitable vulnerabilities.
Medical device patching requires a systematic approach that addresses the unique constraints of clinical technology:
Complete Device Inventory: Maintain accurate inventory of all medical devices with network connections, including imaging systems, patient monitors, infusion pumps, and diagnostic equipment. Document operating systems, software versions, and last patch dates. This inventory should be reviewed quarterly.
Risk-Based Prioritization: Not all devices pose equal risk. Prioritize patching based on network exposure, vulnerability severity, and clinical criticality. Devices with internet exposure or remote access capabilities should be patched first. Systems running unsupported operating systems like Windows 7 require urgent attention.
Vendor Contract Negotiation: When negotiating or renewing medical device service contracts, explicitly include security update provisions. Require vendors to provide security patches at no additional cost and within defined timeframes after vulnerability disclosure. Include penalties for vendors who fail to meet security commitments.
Network Segmentation: Isolate medical devices on dedicated network segments with strict traffic controls. Devices should only communicate with necessary systems, and internet access should be blocked unless absolutely required. This segmentation limits the damage when a device cannot be patched.
Compensating Controls: When patching is not possible, implement compensating controls: enhanced monitoring of device traffic, additional firewall rules, or network access restrictions. The FDA guidance specifically recommends these approaches when patches cannot be applied.
The most effective security programs combine staff training with technical controls. Medical device security requires both: technical patching where possible and staff vigilance to detect when devices exhibit anomalous behavior that may indicate compromise.
Training should include specific guidance for clinical staff on recognizing potential device compromise: unexpected reboots, slow performance, unusual network activity, or changed configurations. Staff should know who to contact immediately when they suspect device security issues. The rapid response to suspicious device behavior can prevent minor malware infections from becoming major breaches.
We develop continuous security training programs tailored to medical practice workflows and implement medical device security assessments that identify patching gaps before attackers do. Our services address both the human and technical vulnerabilities that threaten Texas healthcare organizations. We help you satisfy the HHSC directive requirements while actually improving your security posture.
Call 469-235-4144 or schedule online. We train Texas medical staff and secure Texas medical devices.