Many small practice owners, including Nurse Practitioners, feel intimidated and overwhelmed by what they see…

• Large hospital systems that dominate the market and keep acquiring small practices
• Corporate healthcare groups that keep expanding
• Urgent care chains and retail clinics that seem to be springing up everywhere
• Private equity firms that are increasingly investing in healthcare organizations
• And… the growing presence of telehealth

To make matters worse, most organizations don’t just open up one clinic.

They open up multiple locations, with up-to-date technology and equipment. They come with large advertising budgets and strong brand recognition.

As a result, small practices feel pressure from these competitors with deep pockets and greater visibility.

It’s understandable why small practices may feel intimidated.

Who wouldn’t be?

Some NP practice owners even assume that small practices cannot compete long-term.

But that’s an assumption, and it may not be accurate.

Small practices don’t need to outspend large healthcare systems to compete successfully.

They have something that works in their favor; something they tend to minimize, if not overlook altogether.

In fact, independent NP practices have advantages that large organizations struggle to replicate.

While large healthcare systems may dominate through scale, independent practices win by bringing trust, relationship-building, flexibility, and a better patient experience to the table.

A Common Mistake

Here is a common mistake some small practices make: they try to look like a large organization.

They think they must appear bigger, more corporate, or more technologically advanced to remain competitive.

However, patients usually don’t choose an independent practice because they want a corporate experience.

They choose a small practice with an independent provider because they want the opposite.

They want and value:

• Personalized care
• Better communication
• Shorter wait times
• Greater continuity
• Feeling heard and respected

These are areas where small practices typically outperform larger organizations.

“We Listen, We Care” was the USP Barbara Phillips, of NPBusiness.org, chose for her first practice because her patients repeatedly told her they felt listened to.

So rather than trying to “look big,” focus on maximizing the advantages of being small to stay competitive.

Your Unique Advantage

One of your greatest strengths, as an independent NP practice owner, is the opportunity to build stronger relationships with your patients.

Larger healthcare systems often struggle with rushed, short appointments and high provider turnover.

Patients may see a different provider at each visit; some feel they are just another number in a big machine.

But your small practice can provide a different experience.

Patients like and appreciate:

• More personalized attention
• More time with the provider
• Consistent follow-up
• Familiarity and continuity
• Direct and open communication

These relationship-driven experiences build trust, which strongly impacts loyalty and referrals.

Most patients don’t simply want healthcare.

They want to work with a provider who genuinely listens and cares.

Small Practices Can Adapt Faster

Another advantage you, as a small provider, have is flexibility.

Larger organizations typically move more slowly because of policies and organizational red tape. Small practices can usually adapt far more quickly.

A small, independent practice can:

• Add a new service without needing approval
• Quickly adjust scheduling
• Change communication systems as needed
• Respond to patient feedback fast

This built-in flexibility allows a small practice to respond to patient needs much faster than a larger organization.

Community Connection Creates Trust

Small practice owners often have a deeper connection to their communities.

They may participate in local events, support community organizations, and support nearby businesses.

That local connection creates familiarity and trust that larger systems find difficult to establish.

Community visibility also helps with marketing. Often, patients are more likely to trust providers who participate in local activities, educational events, or community outreach.

While larger healthcare organizations focus on branding and advertising, patients increasingly want to work with someone they can trust.

People want better access to care, providers who remember them, and healthcare that feels personal.

Trust is becoming a competitive advantage for smaller practices and creating a tremendous opportunity for independent NP business owners.

While large healthcare systems may have bigger budgets, small practices can often create stronger emotional connections with patients.

Marketing Creates Visibility

You can’t grow your practice if no one knows you exist.

That’s why marketing is so essential.

Fortunately, effective marketing doesn’t require an enormous budget or complicated strategies.

Educational marketing works well for small practices. Things like helpful articles, newsletters, FAQs, patient handouts, videos, and community education all help establish credibility and trust.

Local visibility is equally important.

That means optimizing your Google Business Profile, improving your website to communicate your practice’s benefits clearly, collecting patient reviews, and participating in community events to increase awareness of your practice.

The majority of patients search online before scheduling appointments. A strong online presence helps smaller practices compete against larger organizations.

Consistency Matters

Don’t assume that marketing must be expensive or complicated to be effective.

Simple and consistent marketing often works best… keep it simple.

Small providers don’t need fancy advertising campaigns.

What they need, however, is to stay visible, trustworthy, and, if possible,  connected to their communities.

• An educational article published regularly may outperform expensive advertising over time.
• Consistent patient communication may create more loyalty than expensive branding campaigns.

The key is consistency.

Summing up…

Small independent practices can compete with larger organizations.

The competitive advantage lies in being different.

Embrace it and use it to your advantage.

Some patients may choose larger organizations for convenience.

Still, many stay loyal to a small practice for trust, relationships, communication, and personalized care, the very qualities that are difficult to create consistently in large organizations, but come naturally to small practices.

And when combined with simple, consistent marketing, these strengths allow independent NP practices not just to compete, but to thrive.

Worried about competing against well-funded healthcare systems?

Share your thoughts and experience; leave your comment below…

By Johanna Hofmann, MBA, MAc., regular contributor to the NPBusiness blog and author of “Smart Business Planning for Clinicians.”

The post How Can A Small Practice Compete With Large Healthcare Systems? appeared first on Nurse Practitioners in Business.

For many Nurse Practitioners, along with other small practice owners,  the phrase “pen-testing”, or penetration testing, sounds intimidating, expensive, and technical.

And that reaction is understandable.

Because the proposed updates to the HIPAA Security Rule and broader healthcare cybersecurity initiatives increasingly point toward annual penetration testing as part of an ongoing cybersecurity program.

Relax…

No law has been passed, and nothing is set in stone… yet.

But regardless, there are a few problems with the proposed rules, a major one being the added expense for small practices.

Because most Nurse Practitioners and other independent practice owners do not have:

• IT departments
• Cybersecurity experts on staff
• Large cybersecurity or compliance budgets
• Enterprise-level infrastructure in place

But not all is lost…

The good news is that small practices can still implement effective penetration testing and improve cybersecurity without spending enormous amounts of money.

The key is understanding what the government is actually expecting and taking a practical, risk-based approach.

The Proposed Rules

Under the proposed HIPAA Security Rule updates, all healthcare organizations may eventually be required to conduct:

• vulnerability scanning at least every six months
• and penetration testing at least once every 12 months

The government also increasingly emphasizes the importance of:

• ongoing risk management

• vulnerability identification
• up-to-date documentation
• and reasonable security practices

For small practices, this is important because the expectation is not perfection.

The expectation is that small healthcare organizations make a reasonable, ongoing effort to identify and reduce cybersecurity risks.

What is Penetration Testing?

Penetration testing, often called “pen testing,” is a controlled cybersecurity exercise where authorized professionals attempt to identify weaknesses in systems before criminals do.

A penetration test may evaluate components like:

• Internet-facing systems
• Firewall configurations
• Password security
• Wi-Fi security
• Remote access
• Access to patient information
• Email vulnerabilities
• Employee phishing susceptibility
• Weaknesses inside the office network

Again, the goal is not perfection, but to identify major risks and reduce them before hackers find them first.

Under the proposed HIPAA Security Rule updates, penetration testing would likely be required at least once every 12 months.

While no requirements are in place at this time, it’s important to take steps now to make your office as safe as possible from cyberattacks.

Focus on the Basics Before Pen-Testing

Before investing in penetration testing, practices should first implement the core protections the government is already emphasizing:

• using strong passwords
• keeping all software updated
• remove all unsupported software
• use of multi-factor authentication (MFA)
• use of encrypted devices
• using secure backups
• providing employee cybersecurity training
• Tracking all devices and software in use
• Removing access to systems when no longer required

These are weaknesses a pen-test will uncover. So, fixing obvious issues will reduce both risk and testing costs.

There’s no need to pay for advanced cybersecurity services before addressing basic security problems.

What is a Vulnerability Scan?

The proposed rules also emphasize routine vulnerability scanning in addition to penetration testing.

These are two different things.

Pen-Testing involves evaluation by a professional, whereas a vulnerability scan is a piece of software that searches a system for known weaknesses.

There are numerous options on the market; some are standalone software, while others are subscription-based for vulnerability scanning.

When selecting vulnerability scanning software, be sure it is HIPAA-compliant and has a proven track record in healthcare.

Work With Smaller Cybersecurity Firms or Freelancers

With respect to pen-testing, don’t assume you must hire a large cybersecurity company to perform penetration testing for your practice.

A smaller independent practice may be well served by:

• a qualified cybersecurity freelancer
• a cybersecurity consultant
• or a smaller healthcare-focused security company

The key issues are qualifications and documentation.

The proposed HIPAA guidance refers to testing by “qualified persons” with appropriate cybersecurity knowledge and experience.

As always, do your due diligence and ask questions:

• What healthcare experience do you have?
• What type of penetration testing do you perform?
• What systems are included?
• Will you provide a written remediation report?
• Do you retest after vulnerabilities are corrected?
• Can you scale services for small practices?

Avoid vendors that immediately push expensive, long-term contracts before understanding the practice’s actual size and complexity.

Leverage Free Government Resources

At this time, May 2026, no scans or pen testing are mandated.

However, it is recommended that you get a head start on what’s coming down the pike.

Why not start by using the federal government’s resources?

Many practices overlook the fact that the federal government already provides substantial free cybersecurity guidance.

The Cybersecurity and Infrastructure Security Agency (CISA) offers:

• healthcare cybersecurity guidance
• ransomware prevention resources
• vulnerability advisories
• phishing education
• incident response materials
• and security checklists

Similarly, HHS HIPAA Security Rule Guidance provides security guidance specifically for healthcare organizations.

Small practices should not underestimate the value of these free resources.

Documentation Is Becoming Critically Important

And finally…

One of the clearest themes emerging is the importance of up-to-date documentation.

Because even basic documentation can demonstrate good-faith compliance efforts.

Increasingly, regulators likely will ask:

• Did the practice identify risks?
• Did it conduct testing?
• Were vulnerabilities addressed?
• Was corrective action documented?

This means your practice should maintain things like:

• Penetration test reports
• Remediation records
• Vulnerability scan results
• Software update logs
• Employee training records
• Cybersecurity policies

Cybersecurity Is Becoming an Ongoing Effort

Perhaps the most important takeaway is this…

Cybersecurity is no longer a one-time project.

In the future, all healthcare organizations will be expected to demonstrate continuous security efforts rather than an occasional activity.

But don’t let that intimidate you.

We all need to implement stronger cybersecurity practices at the personal, business, and government levels.

That doesn’t mean your small practice has to turn into a cybersecurity company.

However, it means implementing manageable, yet simple routines, including regular:

• Testing
• Software updates
• Employee training
• Backups
• Ongoing documentation

Small, consistent improvements are often far more effective than expensive one-time security projects.

The practice that begins implementing these habits now will likely be in a much stronger position as healthcare cybersecurity requirements continue to evolve.

Join the conversation by leaving a comment or question below.

Let us know if you have any questions or would like more information on specific topics.

By Johanna Hofmann, MBA, MAc., regular contributor to the NPBusiness blog.

The post Cybersecurity: What Every NP Must Know Part 5: Pen-Testing appeared first on Nurse Practitioners in Business.

We all know, or at least sense, that life unfolds in patterns and seasons…

• birth, growth, death
• spring, summer, fall, winter
• dawn, day, dusk, night

As chaotic and random life can be at times, there is some predictability.

Healthcare is no exception…

While demand for healthcare never disappears, it tends to fluctuate in somewhat predictable patterns throughout the year.

For small NP owned practices, understanding these patterns can be the difference between struggling to keep the doors open and operating with a sense of control and stability.

Seasonal patterns repeat, are real, and predictable. And with a bit of planning, you can anticipate and leverage them to grow your practice.

Seasonal Patterns in Healthcare

Healthcare isn’t delivered evenly across the calendar. Instead, it follows patterns tied to:

• The weather
• Human behavior
• The economy
• Insurance rules
• Public health concerns

Flu Season

One of the most predictable patterns is the fall and winter surge in respiratory illnesses.

Every year, cases of influenza, COVID-19, RSV, bronchitis, and pneumonia increase as winter approaches and temperatures drop.

According to the Centers for Disease Control and Prevention, flu activity typically rises in the fall and peaks between December and February, though it can last into spring.

The CDC recommends vaccination in early fall, generally September or October, in preparation for the seasonal wave.

As it gets colder outside, people spend more time indoors, kids are in school, and holiday get-togethers increase close contact… all perfect conditions for respiratory viruses to spread easily.

Why not plan an official “flu clinic” event at your office, or start offering the vaccine during appointments as the flu season approaches?

It’s simple to implement, is beneficial and convenient for patients, and it adds to your bottom line.

Most people will get vaccinated…  why not in your office?

Allergy Season

Another predictable seasonal cycle happens in spring and fall, when allergy-related conditions are on the rise.

Tree pollen, grasses, weeds, ragweed… and more, are on the loose for much of the year.

For some, allergies are a mild inconvenience. But for others, they cause real health problems and lead to increased healthcare utilization.

The CDC estimates that pollen exposure contributes to billions of dollars in healthcare costs annually, driven by increased visits, medications, and complications such as asthma exacerbations.

For many primary care and specialty practices, these periods bring a noticeable uptick in visits for sinusitis, allergic rhinitis, and asthma-related issues.

Allergies happen predictably every season…

So why not integrate allergy-related services into your current service offering?

Chances are you already do that, but the question is… do your patients know about it?

Include all allergy-related services you offer in your marketing materials, and let your patients know that you can help them get through the next allergy season.

Summer Season

The summer season sees a different mix…

With kids out of school, people travel or spend time away on vacation. Naturally, families shift their focus away from healthcare unless a clinic visit becomes necessary.

While the season tends to be a bit slower and many practices see a dip in routine visits, often, there is still some seasonal demand for healthcare.

Summer visits may bring more heat-related injuries or dehydration to your office, in contrast to the illness-driven visits during winter.

At the same time, depending on the type of office and the services provided, there may be an increase in appointments for travel care or for the treatment of minor injuries associated with increased outdoor activity.

Many offices see an uptick in school and sports physicals during late summer as people prepare for kids to return to school.

For some practices, especially pediatrics and family medicine, this can create short bursts of activity within an otherwise slower season.

Make it a point to remind patients of all the services your office provides. Send emails, create a newsletter, send flyers, and make patient education materials available in your waiting room.

Unless people are aware of everything you offer in your practice, they can’t utilize it.

Mental Health

Seasons and patterns aren’t limited to physical health. Mental health also follows recognizable patterns.

Take SAD (Seasonal Affective Disorder) as an example.

The National Institute of Mental Health tells us that SAD  typically begins in late fall or early winter and tends to improve in spring or summer.

Another example is the increase in depression and anxiety for some individuals around the major holidays.

Both patterns may lead to increased demand for mental health services around major holidays and during darker months, particularly in regions with shorter daylight hours.

Insurance Rules

Aside from weather, biology, and holidays, insurance can play a major role in healthcare seasonality.

January often brings a slowdown in appointments, as people face post-holiday bills and must meet insurance deductibles before visits and care are covered again.

Once deductibles have been met, healthcare demand often increases again toward the end of the year. For some practices, this pattern creates a surge in Q4 visits, followed by a slowdown in Q1.

Of course, this dynamic applies primarily to offices that accept Medicare and commercial insurance.

Seasonal Patterns: A Double-Edged Sword

For small practices with limited personnel, seasonal demand fluctuations can create operational challenges.

While seasonality cannot be eliminated, it can be managed and even used strategically to grow your practice.

Since every practice is different, it’s important to know and understand your own data.

Start by reviewing the number of patient visits, revenue, and payer mix over the past 12 to 24 months. From there, you should be able to create a simple seasonal calendar that shows you the expected highs and lows.

Next, focus on using slower periods intentionally.

Instead of passively allowing patient visits to decrease, plan to offer preventive and recall-based care during slow times.

Annual wellness visits, chronic disease follow-ups, medication reviews, and screenings can be scheduled proactively during quieter months.

Create seasonal campaigns, including flu vaccine reminders in early fall, allergy preparation in late winter, and sports physical reminders in early summer, to level patient visits and improve clinical outcomes.

Healthcare is inherently unpredictable, so remaining flexible is important. Remember that seasonal patterns are not set in stone and can shift due to factors such as pandemics, natural disasters, or changes in insurance policies.

Predictable… If You Plan For It

While shifts in healthcare demand may seem random, they are not.

Seasonal patterns in healthcare simply reflect a combination of human behavior, environmental conditions, and financial realities that are built into the system.

For small NP-owned practices, recognizing and working with these patterns can create opportunities to grow the business.

Instead of being blindsided by sudden volume swings, you can prepare for them, balance practice workloads, and stabilize or even increase your revenue.

While much of healthcare may feel unpredictable, seasonality is something you can actually plan and prepare for.

Are you tuned in to the seasonal patterns in your practice? Or do you see them now after reading the article?

Let us know in the comments below…

By Johanna Hofmann, MBA, MAc., EAMP; regular contributor to the NPBusiness blog.

The post How to Leverage Seasonal Patterns to Grow Your Practice appeared first on Nurse Practitioners in Business.

If that’s not bad enough for patients, it creates a ripple effect challenge for practices.

What used to be collected from insurance is now sitting in your accounts receivable, waiting to be collected from your patients.

But without a clear, consistent process in place, those balances stay on the books far too long, or disappear entirely.

Today, collecting patient balances is no longer a small part of billing, but a significant part of your income.

Why Collections are Challenging

Most practices don’t struggle with collections because they don’t make an effort. They struggle because it’s uncomfortable, and they lack effective systems.

Nurse Practitioners were never trained to talk about money.

And…  Isn’t it a contradiction to talk about money in a healthcare setting?

That’s certainly what most of us have learned; not because of what was said, but rather what wasn’t…

Money, the cost of healthcare, was never discussed!

The subtle message was that discussing money in a clinical setting is distasteful, even inappropriate.

As a result, financial conversations are often delayed, softened, or skipped altogether.

And on top of that, many practices operate without a clearly defined financial policy or one that’s not consistently enforced by everyone in the office.

One team member collects at check-in, another forgets, and another hesitates in enforcing the policy if the patient pushes back.

Over time, this inconsistency trains patients to think it’s okay not to pay when they come to an appointment.

So the clinic relies on billing after the visit. Not only does this create an additional expense for you, but by then, the patient has left, the urgency is gone, and collection becomes significantly more challenging.

The best time to collect payment is at the time of service!

Set Clear Expectations

If you want to improve your collections, start by setting clear expectations and repeating them often.

Your practice must have a written financial policy that clearly explains what patients are responsible for and when payment is expected.

This includes co-pays due at the time of service, as well as any applicable deductible or co-insurance amounts.

But having a financial policy isn’t enough.

Patients need to see it, hear it, and be reminded of it. That means including it in your intake paperwork, referencing it in appointment reminders, and making it easily accessible on your website.

When expectations are clear, collections become less confrontational and more routine.

The Best Opportunity: Upfront Collection

As mentioned earlier, the single most effective way to improve collections is to collect at the time of service, before the appointment.

This may require a shift in mindset… for clinic staff and patients.

While short-term credit in grocery stores, pharmacies, and other establishments was common years ago, the days of “put it on my tab” are long gone.

Instead of hoping to collect later, your team must collect payment upfront, just like in other industries.

For a clinic, it starts with verifying insurance and estimating the patient’s responsibility before the visit, whenever possible. Even a rough estimate is better than saying nothing at all.

Equally important is how the conversation is handled. A simple, confident approach works best: “Your estimated responsibility today is $75.”

Patients take their cues from you and your staff. When you communicate insecurity, patients pick up on it.

But when you approach payment as standard and expected, most patients will handle it without hesitation.

While most financial conversations should happen at check-in, there are times when they need to happen during the visit.

If additional services are recommended that may increase the patient’s cost, it’s important to communicate that clearly. Patients don’t like surprises, especially when it comes to their bills.

After-the-Fact Collections Still Matter

Even with strong upfront systems, there will always be balances that need to be collected after the visit.

And this is where consistency is critical.

Claims should be submitted promptly.

Patient statements must be clear and easy to understand, and be mailed as soon as patient balances become available.  

Confusing bills are often ignored, as are bills mailed weeks or even months after the date of service.

Establish a regular billing cycle (30, 60, and 90-day) and stick to it.

Make it Easy for Patients to Pay

Offer multiple ways for patients to pay their balance.

Make both in-office and online options available so patients can easily manage their financial responsibilities.

Also, consider offering structured payment plans when appropriate, or connect with a third-party financing provider.

And here is the key… follow-up!

A simple reminder, whether by text, email, or phone, can significantly improve collection rates.

People are busy, and some do forget…

What to Do When Payments Don’t Come In

No matter what you do, though, some accounts will remain unpaid.

This is where knowing what to do next comes in handy.

Decide in advance what the cutoff is for moving accounts from internal follow-up to external collections. And when that point has been reached, turn the overdue account over to collections without delay.

Be sure to include in your financial policy that delinquent accounts are turned over to collections.

Initially, I didn’t want to involve a collection agency; I gave people all the benefit of the doubt…

However, after just a short time in practice, it became clear that working with a collection agency was the only way to recover payments from a few people.

Using a third-party collection agency can be effective, but it should be a last resort. The goal should be to collect while maintaining a healthy patient relationship, which likely will be lost once the account is turned over to the collection agency.

Use Technology to Your Advantage

Today’s tools can make a significant difference in your collection process.

Practice management systems can:

• automate eligibility checks
• estimate patient responsibility
• send reminders.

Establishing card-on-file policies can streamline payments, especially for ongoing care.

Equally important are your reports.

Track metrics like:

• Days in accounts receivable
• Collection rates
• Total patient balances, etc.

to help you identify where you stand, if your process is effective, or if it’s breaking down.

The idea is: what gets measured gets improved.

Train Your Team

Lastly, train your staff to normalize the conversation.

One of the most overlooked aspects of collections is training.

You and your team need more than just a script; you need confidence.

Speaking with confidence (instead of an apologetic tone) comes from practice, consistency, and a clear understanding that collecting payment is part of delivering care in our current healthcare system.

Finally…

Patients are feeling the pressure of rising healthcare costs, and it’s important to acknowledge that. However, your practice cannot function without consistent cash flow.

The goal is to strike a balance, offering reasonable flexibility when appropriate while maintaining clear, consistent policies. And when you make exceptions, they should be intentional, not accidental.

Improving your collections doesn’t mean you have to use aggressive tactics or engage in uncomfortable conversations. However, it requires clear expectations, clear policies, and consistent processes.

When collections become a repeatable system, your cash flow stabilizes, your stress decreases, and your practice becomes more sustainable.

And that ultimately allows you to focus on what matters most, caring for your patients.

Is everyone in your office enforcing your financial policy? Do you collect payment at the time of service without exception?

Please share your knowledge and experiences with us… Share your input via a comment below.

By Johanna Hofmann, MBA, MAc., EAMP; regular contributor to the NPBusiness blog.

The post How to Improve Practice Collections Without Damaging Trust appeared first on Nurse Practitioners in Business.

This is the fourth installment in our series on Cybersecurity, inspired by Senate Bill 3315,  the Health Care Cybersecurity and Resiliency Act of 2026.

If you haven’t seen or read the article series, you’ll find Part 1 (Overview), Part 2 (Take Inventory), and Part 3 (MFA, Multi Factor Authentication) at the specified links.

Today, we’ll talk about data encryption.

The proposed legislation (S. 3315) requires all HIPAA-regulated entities to implement minimum cybersecurity standards, including data protection:

Encrypt all electronic protected health information (ePHI), at rest and during transit.

It’s a reasonable request, after all, you want to keep patient data private and safe. No argument here.

But the question is… how do you do that?

So what does data encryption actually mean for your day-to-day practice, and what do you need to do?

What is Encryption?

At its core, encryption is simply a way of making data unreadable to anyone who isn’t authorized to access it.

If someone gets access to your system, whether through theft, hacking, or by mistake, encryption ensures that they can’t read or make sense of the information.

Encryption must protect your data in two ways.

First, when data is at rest…

Data lives on your laptop or desktop, in your EHR, or is stored in the cloud. This is called data “at rest.”

Second, when data is on the move…

When data is transported from your office to your billing company, from your office system to a patient portal, or via email, this is called data “in transit.”

Both scenarios matter and are ways your data could be compromised. Often, practices may unknowingly protect one but leave the other exposed.

Protecting Data at Rest

Let’s start with stored data, because this is the easiest place to make meaningful improvements.

Think about all the places patient information lives in your practice: laptops, desktops, cloud systems, backups, mobile devices, and your EHR.

If one of those devices is lost, stolen, or accessed improperly, you want the data to be completely unreadable to the unauthorized user.

The simplest and most effective step you can take is turning on full-disk encryption on every computer. Most devices already have this built in.

Windows computers use BitLocker, and Apple devices use FileVault.

In many cases, this is just a setting that needs to be turned on. Be aware that, depending on your device, encryption may slow down your workflow.

However, activating this option alone protects you from one of the most common real-world scenarios: a lost or stolen laptop.

If you don’t want to use the built-in options, there are numerous alternatives to choose from to encrypt your data. Be sure to do your due diligence before you make a final decision.

A WORD OF CAUTION…

Before you change any settings to activate full disk encryption, in Windows or macOS, stop and think about how you will manage the password or PIN required to access the system, along with the recovery key created during setup (if the option was enabled).

In the event you lose access to both the password or PIN and the recovery key, you will not be able to access the data on the encrypted disk... Period!  End of story!

The only way to get your data back is from a current backup.

Set-up and available recovery options depend on your device and OS version for Windows and macOS. Make sure you understand the process and the available options, and have a plan for managing it all.

Next, consider your cloud storage.

Many practices use platforms like Google Drive, Google Workspace, or Microsoft OneDrive. While most systems encrypt data automatically, not all do, and those that don’t need to be configured.  

Keep in mind that encryption doesn’t replace good access control.

If files are shared too broadly, encryption won’t stop the wrong person from accessing them. It’s important to confirm that your cloud provider offers HIPAA-compliant agreements and to limit access only to those who truly need it.

Your EHR system is another critical area.

While most modern EHRs already encrypt stored data, don’t assume all do.

It’s worth confirming with your vendor, ideally in writing, that encryption is in place and that security responsibilities are clearly defined. This is especially important because your EHR contains most of your sensitive data.

Finally, don’t overlook backups.

Backups are often forgotten, yet they contain everything.

If you’re using external drives or cloud backup tools, those backups must also be encrypted. Otherwise, you’ve secured your main system but left a complete copy of your data exposed.

Protecting Data in Transit

Now let’s talk about data in motion, which is where many practices unknowingly take risks.

Anytime you send or access patient information via email, a portal, or remote login, that data travels across numerous networks, which means it can be intercepted… hacked without proper protection.

The most basic place to start is ensuring that the systems you use operate over secure web connections.

If you see “https://” at the beginning of a website, that means encryption is in place while the data is being transmitted. This should be standard for your EHR, patient portal, and any system where patient data is entered or accessed. Most browsers will alert you if a website uses an older protocol.

Email is where things get more complicated.

Regular email is not secure by default, even though many organizations still use it that way, creating a major vulnerability.

You need an email system that supports encryption, such as Microsoft 365, Google Workspace, or a specialized solution like Paubox.

These tools ensure that emails and attachments containing patient information are protected and only accessible to the intended recipient. Some tools are secure out of the box, while others require configuration.

File sharing is another area to watch.

Sending patient documents as standard email attachments or through unsecured links is risky.

Instead, it’s better to use secure file-sharing platforms such as ShareFile, which are designed to transmit sensitive information safely.

If you or your staff access systems remotely, from home or another location, using a Virtual Private Network (VPN) is essential to reduce the risk of data interception.

What This Looks Like in a Real Practice

At this point, it’s easy to feel like this is a lot to manage. The good news is that most of what you need is already available in the tools you use every day.

In a typical NP practice, encryption is not something you have to build from scratch. It’s something you can enable, verify, and manage.

That means turning on device encryption, obtaining Business Associate Agreements, confirming your vendors are doing their part, securing how your team communicates, and using strict access controls.

And don’t forget to document your steps. Under the new regulatory expectations, it’s no longer enough to say, “We take security seriously.” You need to be able to show what you’ve done to keep data safe and secure.

Final Thought

For you, a busy NP Business owner, cybersecurity may feel like just one more item on a long list of to-dos.

While you don’t need to become an IT expert, you need to make sure that the tools you rely on are configured correctly, data access is controlled, and that your systems are working together to keep patient data safe.

Let me quote Harry S. Truman, who famously said: “The buck stops here.”

The same applies here: cybersecurity in your practice is your responsibility!

So, educate yourself about the best options for your practice, and then, if necessary, bring in an expert to help with the setup.

Once the proper systems are in place, it won’t take much to keep them up to date.

Do you currently encrypt data in your office? Let us know which options you’re using and how…

By Johanna Hofmann, MBA, MAc., EAMP; regular contributor to the NPBusiness blog.

The post Cybersecurity: What Every NP Must Know Part 4 – Data Encryption appeared first on Nurse Practitioners in Business.

But there’s another strategy, one that may be even more effective: patient education.

Most NPs, whenever they interact with their patients, answer questions, explain conditions, and help them make decisions.

That knowledge, the things you find yourself explaining repeatedly, is a business asset you can put to use.

Why not create educational materials that answer questions and help attract new patients to your practice?

Educational materials aren’t just helpful for patients; they’re among the most effective forms of marketing.

And… when used strategically, you can also turn them into additional income streams for your practice.

Why Educational Materials Double as Marketing?

Because they meet people where they are.

Before someone calls your office to make an appointment, they‘re searching online.

They may be asking questions like:

• “Why am I so tired all the time?”
• “Why can’t I sleep through the night?”
• “How serious is high blood pressure?”

And when your educational content answers their questions, people feel understood and develop a sense of familiarity with you and your practice.

Educational Materials Build Trust Before the First Visit

Educational content lets patients experience your expertise before meeting you in person.

Instead of “selling” your services, you’re demonstrating your knowledge, which creates a powerful effect: a sense of familiarity… “I feel like I already know this provider.”

This sense of familiarity reduces any hesitation and makes booking an appointment feel like the natural next step.

Educational Materials Scale Your Time and Expertise

How many times did you explain the same thing to different patients this week?

With the help of educational materials, you can give an answer to a question or explain something once and then use it repeatedly.

A single brochure, checklist, or video can:

• Answer common questions
• Clear up any confusion
• Reinforce your recommendations

With the right educational materials, you can support your patients between visits and extend your impact without working more hours.

Educational Materials Position You as the Authority

You are an authority in your field…

However, in today’s healthcare environment, various services feel interchangeable to patients.

But your educational content changes that.

When you consistently provide clear, helpful information, you move from being “the provider” to being “the trusted expert.”

And trusted experts are not chosen based on price, but on confidence.

Educational Materials Improve Clinical Outcomes

Well-informed, educated patients are more engaged patients.

They are more likely to have a deeper understanding of their condition and follow their treatment plans more consistently. They are invested in the outcome.

And better outcomes lead to stronger relationships, which in turn lead to repeat visits and referrals.

What are the Most Effective Educational Materials?

There are many different types or formats of educational materials you can choose from.

Keep these guidelines in mind:

• Choose a format that works best for your audience: a brochure or printed material may be better for geriatric patients than short video clips to watch on YouTube.
• Choose a type that is easy for you to create and keep up to date: perhaps it’s easier and faster for you to write a handout rather than filming a video.
• Choose a format that is inexpensive to produce and easy to keep current, particularly if you want to create a catalog of educational materials.
• Pick a format and type you enjoy creating, or one that is relatively inexpensive to outsource.
• Consider additional materials you could create later that would complement the first. (You don’t need to create everything at once.)

Start with educational materials that are simple, practical, and easy to create and directly tied to the services you provide:

Consider these basic formats to start with:

• Print Brochures
• Pamphlets
• Handouts
• Digital content (your website, videos)

Use both print materials and digital tools to deliver your educational content, and see which works better for your practice… and do more of that.

Your best content is already inside your practice.

If you’ve explained something more than twice, it’s worth turning into an educational resource.

And start thinking… create once, use everywhere

One piece of content can be used in multiple ways:

• As a handout in your office
• As a blog post on your website
• As an email follow-up after a visit
• Or as a social media post

Turning Educational Materials into Income Streams

This is where most NPs stop…

But this is where a real opportunity can begin!

The same materials that educate your patients can also be packaged and monetized into digital products.

Generally, digital products have low overhead and easy scalability. Here are some ideas for you to consider…

Standalone Guides and Handouts

Start with simple, easy-to-create downloadable guides and handouts, condition-specific education bundles, or FAQ’s (frequently asked questions). They can be created as text-only, PDFs, videos, audio, or any combination thereof.

These products can be sold repeatedly but require minimal ongoing effort.

As mentioned before, consider your audience and yourself when developing these products.

Simple guides and PDFs are easier to create compared to other product formats.

However, there is a learning curve for checkout (selling), delivery, and product support, depending on the platform you use.

Online Courses

For deeper topics, developing entire courses lets you teach once and sell indefinitely.

Courses position you as an authority and typically offer a higher-value experience over basic guides and PDFs.

Consider your audience and their level of comfort with consuming a video course rather than written material.

Also, consider your comfort with technology and your willingness to learn or outsource to create and implement the course.

Structured Programs

Another option is to create live, in-person programs, such as:

• Weight management
• Diabetes prevention or management  
• Smoking cessation
• Stress reduction
• Wellness program

These programs may be delivered one-to-one, in groups, or in a self-paced format.

These programs require more of your time and effort and are less scalable than other formats.

Workshops and Webinars

Here is another way to repackage your education materials.

Conducting live or recorded sessions is an excellent way to bridge free and paid offerings.

You may deliver your message via a paid Zoom meeting or another platform. You record the meeting and then sell it as an on-demand product. Live meetings allow your audience to ask questions and interact with you, something most people like.

However, keep in mind that if you want to record the session and sell it later, you must inform participants of your plans and obtain their permission to be recorded.

Membership Models

Last but not least, the membership model.

This model provides ongoing access to your educational content, including updates and new materials. This creates recurring revenue while strengthening the relationship with your patients.

This model is viable only if you have an extensive catalog of educational materials. Additionally, you must be able to keep the content current, make frequent updates, and provide support to your members.

This probably isn’t the best place to start monetizing your educational content, as it is more advanced.

However, it might be worth considering implementing later.

How to Get Started?

Keep it simple…

You don’t need a complicated system to get started.

Start with:

1. Writing down the top 10 questions your patients ask
2. Turn 3 of them into simple guides or FAQs
3. Use them in your practice and on your website
4. Expand one into a more detailed resource
5. Then rinse and repeat

That’s it.

Start small, stay consistent, and build from there.

In Conclusion…

Educational materials are not an “extra” task, another thing to check off your list.

When used intentionally, they

• Build trust

• Attract and retain patients
• Improve outcomes
• Offer more income

Think of them as a core part of building a sustainable, thriving practice, with the built-in opportunity to create additional income streams.

These extra streams can remain part of your practice or can be developed into a separate, standalone educational business.

Whatever route you take, the knowledge you already share every day has value far beyond the exam room.

The opportunity is simple: Capture… Package… Monetize

Have you created patient educational materials in your office? Any recommendations or suggestions?

Please share them with us… Thank you.

By Johanna Hofmann, MBA, MAc., EAMP; regular contributor to the NPBusiness blog.

The post How to Turn Questions From Patients Into Profit appeared first on Nurse Practitioners in Business.

So it’s hard to fathom that the most commonly used password in the country is still 123456?!

That’s according to Cisa.gov (Cybersecurity & Infrastructure Security Agency), whose primary mandate is to coordinate efforts to reduce the risk to US cyber and physical infrastructure.

The organization also provides a range of no-cost cybersecurity services and tools to the public.

Senate Bill 3315

If you’ve kept up with our discussions about cybersecurity, you know that the bill is not yet law, but it’s likely it will be soon. The proposed changes are significant, and so it’s reasonable to start preparing for them now.

However, if you’re new to our discussion, you can get up to speed by first reading the overview of the changes, then part 1 (take inventory), here.

Today, we’re tackling a core requirement in the bill: Multi-Factor Authentication (MFA).

Multi-Factor Authentication

Cybersecurity in healthcare is no longer just an IT concern, but is quickly becoming a core business responsibility for practice owners.

We’re moving away from loosely defined “best practices” toward specific, enforceable security expectations.

One of the most important is Multi-Factor Authentication (MFA).

From “Recommended” to “Expected”

Under HIPAA, practices were expected to evaluate multi-factor authentication (MFA), but not to implement it.

But that’s no longer the case.

As mentioned in previous articles, Senate Bill 3315 proposes baseline security requirements across the entire healthcare industry.

This is in response to large-scale breaches that exposed the interconnected and vulnerable nature of the healthcare system. And so, MFA is no longer optional, but is becoming the default.

What is Multi-Factor Authentication?

You probably know the answer, but to be on the same page, let’s briefly define it.

Here’s CISA once more… “MFA is a layered approach to securing data and applications where a system requires a user to present a combination of two or more credentials to verify a user’s login.”

MFA consists of two or more parts/factors:

1. Something you know… a password
2. Something you have… a phone
3. Who you are… fingerprint, facial, or iris scan

Once set up, the first time you sign in on a device, you must provide your username and password, then verify you have the second factor by entering the code you received.

The next time you sign in on the same device, you still need to provide your username and password. However, you don’t need to verify that you have the second factor, which is stored in a cookie.

This will be valid until the cache is cleared… or the cookies are cleared.

Almost all applications we use day in and day out require MFA, verifying identity via text, phone, email, or another method.

Isn’t it time to implement the same in your office?

Why Is MFA Getting So Much Attention?

Because most cyberattacks don’t start with a sophisticated hack. They start with something much simpler:

• A never revoked password
• A reused login
• A stolen password
• A phishing email

And no matter the method, once attackers gain access, they can move quickly, often without detection.

But MFA changes the landscape.

By requiring a second form of verification, such as a code on a phone, a login approval, or a physical security key, MFA makes it significantly harder for unauthorized users to gain access, even if they have the correct password.

This is why CISA and NIST (National Institute of Standards and Technology) list MFA among the most effective cybersecurity controls.

S3315 and MFA

Senate Bill 3315 not only proposes stronger cybersecurity but also standardization across key areas that rely directly on MFA, including:

1. Identity and Access Management

Every user accessing systems with patient data must be properly authenticated via MFA, including:

• EHR systems
• Billing platforms
• Email accounts

2. Remote Access Security

With telehealth and cloud-based systems, remote access is now a major risk. Hence, MFA is expected for:

• Remote logins
• VPN (if used) access
• Cloud-based platforms

3. Privileged Access Controls

Not all users need the same level of access. Administrators and owners have full access, whereas employees typically do not. This means that MFA should be mandatory for:

• Practice owners
• IT administrators
• Billing system managers

4. Vendor and Third-Party Oversight

Healthcare organizations work with outside vendors, including clearinghouses and software providers. You may be expected to:

• Confirm vendors use MFA and/or
• Document their security practices

Inadequate Security Measures

Too many practices still rely on outdated security measures that will not hold up in the near future, including:

• Password-only logins
• Shared staff accounts
• Shared passwords
• SMS-only verification (as the sole method)
• Informal or undocumented security practices

These approaches will not meet new security standards and must be updated as soon as possible.

Document your MFA practices, as potential audits expect written plans, policies, and a list of systems protected by MFA.

A New Mindset

Zero Trust Security is the new approach to cybersecurity.

The central premise is to: never trust, always verify.

Therefore, in addition to a login, MFA may also be required:

• When accessing sensitive data
• When logging in from a new device
• When performing high-risk actions

Implementing MFA

Traditional passwords alone are no longer adequate and are being replaced by various MFA methods.

But not all MFAs are created equal… not all provide the same level of security.

The MFA you choose should be tailored to your specific situation, the required security level, and the user’s workflow.

For example, asking a medical assistant to use SMS or email verification for repeated device access throughout the day may not be the best solution.

The assistant’s workflow may require moving between rooms and accessing different devices, with little time to spare in between.

Using SMS or email verification might slow down the workflow, as employees have to re-enter their email address or wait for a text to confirm their identity when moving between devices.

Using biometric authentication, such as a fingerprint or facial recognition, might be a better solution in this scenario.  

Today, we have numerous MFA solutions to choose from, meeting the needs of varying environments and workflows.

Here are some common MFA solutions:

• Biometrics: fingerprint, facial recognition, or iris scan to log in
• Authenticator apps: provide a temporary, time-sensitive code
• SMS/Email verification codes: active for a limited duration
• Push Notifications: sent to a device for approval or denial
• Physical Security Keys/Hardware Tokens: tap or plug in to verify access
• Passkeys: encryption using a public and private key

A Practical Approach for your NP Practice

MFA is one of the simplest and most cost-effective security upgrades you can make.

• Start with the essentials:
  Enable MFA on email, EHR, and billing systems
• Choose user-friendly tools:
  Physical Security Keys, authenticator apps, or push notifications work well in busy clinical settings. Keep it simple so that MFAs are used and respected.
• Strengthen over time:
  Add device-based controls or hardware keys for higher-risk accounts as you strengthen your office’s cybersecurity.

Keep in Mind…

While cybersecurity can feel overwhelming and too technical for some Nurse Practitioners, it doesn’t have to be.

MFA is a relatively simple approach that you and your staff are already using everywhere else. Choose a solution that fits your office, workflow, and budget.

MFA, when implemented and used correctly, is easy to understand and effective, enabling you to prevent breaches rather than react to them.

The bottom line is this…

In the future, you must be able to prove that the person accessing your systems is an authorized user and who they say they are… And that’s what MFA provides for your business.

We’ll cover how to implement the new requirements in subsequent articles. And, we’ll keep you up to date on changes to the legislation as soon as information becomes available.

Which MFA tool are you using in your practice? Have you worked with other tools in the past? Which factors did you consider before you picked one tool over the other?

Please share your experiences with us in the comment section below…

By Johanna Hofmann, MBA, MAc., EAMP; regular contributor to the NPBusiness blog.

The post Cybersecurity: What Every NP Must Know Part 3 – MFA appeared first on Nurse Practitioners in Business.

But that’s not acceptable, particularly as more and more of our personal information lives online. We must take steps to protect our own data and the data of the people we serve.

For Nurse Practitioners in private practice, that means safeguarding patient data.

If you read last week’s post, you know that the goal of Senate Bill 3315 is to tighten Cybersecurity across all healthcare organizations.

Up to now, organizations were expected to make “reasonable efforts” to protect data.

However, if the pending legislation passes, a defined level of cybersecurity must be implemented and proven with documentation, logs, testing results, and audits.

While this will create short-term inconvenience and disruption for organizations, keeping data safer will be worth it in the long term.

Where to Start?

Perhaps you’re wondering whether you should wait and see if the proposed legislation becomes law, or get started now?

I think it’s best to get ahead of the curve and start now.

It’s in your best interest to do all you can to protect the data you’ve been entrusted with, along with yours.

Besides…

Updates to the current security standards are sure to come, even though they may differ from the proposed standards.

The suggested legislation is complex and would require all HIPAA-regulated entities to implement minimum cybersecurity standards, including:

• MFA (Multi Factor Authentication)
• Data Protection (Encrypt all ePHI, at rest and during transit).
• Security Testing (Conduct audits and penetration testing).
• Framework (Alignment with established standards, like the NIST)

If you’re thinking that implementing these requirements is too much to ask of small practices, you are not alone!

As overwhelming as it may seem, I believe that with a detailed implementation plan and adequate time on your side, you can implement greater security for your organization.

I suggest you start tightening security in your office as soon as possible.

So, let’s start at the beginning, with one of the most important and overlooked areas of cybersecurity, your asset inventory.

If you don’t know what you have, how it connects, and who has access to it,  you can’t secure it, yet everything else, including MFA, encryption, and monitoring, depends on it.

Why an Asset Inventory Matters

Creating and maintaining an up-to-date inventory is the foundation for assessing security risks.

A current and up-to-date inventory:

• Lets you know where all ePHI resides and how it flows through your office.
• Reduces the risk of a data breach due to “shadow devices,” forgotten and unmonitored devices that may become entry points for attackers.
• Allows you to respond faster to incidents by quickly isolating affected devices and systems.
• Creates an audit trail, along with internal documentation for systems maintenance.

Keep in mind, many data breaches happen because of outdated, forgotten, or unattended software.

Hackers exploit this, along with weak passwords. They steal credentials and seek to exploit every security weakness they can find.

And don’t make the mistake of thinking small practices are not worth the trouble for hackers.

On the contrary, hackers assume that small practices are lax in their security and easy to take advantage of.

A small practice is a perfect target for hackers…

Let’s prove them wrong!

Your Inventory: What to Include?

Every device and piece of software your office uses to access and transfer data is a potential entry point for hackers and should be part of your inventory. Include the following:

Hardware, all devices used to access data:

• Desktop computers
• Laptops
• Tablets and phones
• Printers, scanners, fax machines
• Routers and network equipment
• Software-enabled medical devices
• Servers (on-site or cloud-connected)
• Include all personal devices used for work

Software, everything used in your practice:

• EHR/EMR systems
• Scheduling software
• Billing and claims systems
• Cloud storage (Dropbox, Google Drive, etc.)
• Telehealth platforms
• Email programs
• Antivirus security programs
• Any additional applications installed on computers

Software is where data resides. Outdated or unauthorized software is one of the most common causes of data breaches and hacks.

Vendors & Third Parties:

• Billing companies
• IT service providers
• EHR vendors
• Cloud service providers
• Payment processors
• Telehealth platforms
• Any business that handles patient data (directly or indirectly)

Your risk is not limited to you alone; it includes everyone connected to you or anyone you connect to. Therefore, if a vendor is compromised, your data may be compromised too.

Who has Access?

This step is critical…

Determine and document who has access to what.

For every device, software system, and vendor, you must know who has access to it.

Account for:

• Employees
• Contractors
• Vendors
• Former staff (this is a high-risk area)

Frequently, data breaches and hacks happen not because someone had access, but because access was never removed!

Keep track of prior access and when and how it was revoked.

How to Keep Track

The simplest way to keep track of this information is with a spreadsheet, using MS Excel or Google Sheets.

A centralized spreadsheet is accessible, simple to create, and easy to maintain.

I suggest you create a master spreadsheet for everything; include as much detail as possible:

• Sheet 1 contains all hardware information
• Sheet 2 contains all software information
• Sheet 3 contains all vendor and 3^rd party data
• Sheet 4 lists access, the role, access level, and start/end date

View your spreadsheet as a living document. Start with a simple spreadsheet and refine it as you go. Review it often and keep it up to date.

Utilize this spreadsheet as you bring on new employees and as others leave your practice.

Update it as new software is installed and more devices are added.

Use it to clean up any unused or outdated software and to revoke access of former employees.

Utilize it to troubleshoot and evaluate vendors you’re working with or consider working with. And of course, use it as you prepare for an audit.

To Sum Up …

Creating a comprehensive inventory spreadsheet pays off…

You will be safer against hackers and data breaches, and you will have more control over your practice.

Let’s face it, you cannot protect what you can’t see, no more than you can hit a target you can’t see.

Creating and maintaining an inventory of devices, software, and vendors, and documenting who has access to each, is one of the highest-impact actions you can take in your practice today.

And it doesn’t take a high level of technical knowledge.

What it takes is the willingness to set aside time to document how your office handles patient data from start to finish.

And in the new, proposed regulatory environment, that may be the difference between a manageable incident and a catastrophic one.

We’ll cover how to implement the new requirements in subsequent articles. And, we’ll keep you up to date on changes to the legislation as soon as information becomes available.

Do you know how patient data flows through your office? Do you know which device is an access point, and who has direct access to the data?
Let us know what you think in the comments below…

By Johanna Hofmann, MBA, MAc., EAMP; regular contributor to the NPBusiness blog.

The post Cybersecurity: What Every NP Must Know Part 2 – Take Inventory appeared first on Nurse Practitioners in Business.

2024: A Wake-Up Call

Perhaps you remember… February 21, 2024…

A ransomware attack on Change Healthcare, a UnitedHealth Group subsidiary processing 40% of all medical claims in the US, exposed a critical weakness in the U.S. healthcare system.

This was not your average data breach…

The cyberattack caused major disruption to the US healthcare system, affecting claims processing, delaying payments, disrupting prescription refills, and creating widespread financial instability across practices, especially for smaller and rural ones.

Here’s what made this incident so alarming…

Change Healthcare functioned as a centralized hub for claims and prescription data, and when it was attacked, the entire system felt the impact.

Approximately 190 million individuals had sensitive data exposed; it was one of the worst attacks on the US healthcare system.

This cyberattack made it clear that healthcare today is so interconnected that a single point of failure can ripple across the entire ecosystem, triggering a major shift in regulatory thinking.

When a cyberattack can delay access to life-saving care and medications and threaten the viability of medical practices, it is no longer an isolated compliance issue but a matter of national resilience.

Updates to Legislation

The response to the systemic risk is the Health Care Cybersecurity and Resiliency Act of 2025 (S. 3315).

This legislation represents the most significant overhaul of healthcare data security since the HITECH Act of 2009, which primarily encouraged providers to adopt electronic health records to ensure the privacy of healthcare data. 

At its core, Senate Bill 3315  replaces the previous “trust-based” compliance model with one built on verifiable evidence.

In the past, organizations were expected to make “reasonable efforts” to protect data. Under the new framework, they now must prove it with documentation, logs, testing results, and audits.

If passed, the new legislation would require all HIPAA-regulated entities to implement minimum cybersecurity standards, including:

• MFA – Multi Factor Authentication:
  Moving from simple passwords to mandatory multifactor authentication (MFA) to gain system access.
• Data Protection:
  Encrypt all electronic protected health information (ePHI), at rest and during transit.
• Security Testing:
  Conduct audits and penetration testing (simulated cyberattack to check for exploitable vulnerabilities) to maintain the integrity of information systems.
• Framework:
  Alignment with established standards like the NIST (National Institute of Standards and Technology) frameworks.

The key theme is clear: saying your systems are secure is no longer enough; you must be able to prove it.

A New Approach

Since managing cybersecurity at this scale requires more than a single agency, S. 3315 formalizes a coordinated federal effort involving three primary players.

• HHS – The Department of Health and Human Services:
  takes the lead role. It is responsible for updating HIPAA regulations, developing a national incident response plan, and reporting to Congress on the state of healthcare cybersecurity.
• CISA – The Cybersecurity and Infrastructure Security Agency: serves as the technical backbone, providing expertise, developing training programs, and helping improve cybersecurity literacy across the healthcare workforce.
• ASPR – The Administration for Strategic Preparedness and Response: plays a particularly important role as the Sector Risk Management Agency. Its focus is identifying hidden risks—especially third-party vendors whose failure could create widespread disruption.

Together, these agencies create a structured ecosystem designed to identify threats before they escalate and to respond effectively when incidents occur.

The Problem…

While the legislation’s goals are widely supported, its implementation raises real concerns, particularly for smaller practices.

Implementation estimates across the entire healthcare industry are $30 billion.

For independent practices already operating on thin margins, this is not just a minor inconvenience but a major challenge.

Adding new layers of cybersecurity is expensive and can feel overwhelming, particularly when operating with a small team, limited IT support, and a tight budget.

To address this issue, the legislation includes “Safe Harbor” for certain entities.

Safe Harbor for Eligible Practices

Previously, Safe Harbor was more of a guideline. However, under S. 3315, it becomes a formal requirement that must be considered.

Under Safe Harbor provisions, offices that can demonstrate they followed “recognized security practices” for at least 12 months before a data breach may receive reduced penalties and fewer regulatory consequences.

In practical terms, this means documentation matters more than ever. It’s not enough to implement security measures: you must track, record, and maintain evidence of your efforts.

Practices that proactively adopt strong cybersecurity measures may significantly reduce their legal and financial risks if a breach occurs.

Support for Some Providers

The proposed legislation acknowledges that not all healthcare organizations have the same resources.

To prevent cybersecurity from becoming a “luxury” only large systems can afford, the bill includes some targeted support:

• Federal grants for rural clinics, nonprofit hospitals, and Federally Qualified Health Centers (FQHCs)
• Tailored guidance for low-resource settings
• Specialized assistance for high-risk sectors like the Indian Health Services and cancer centers

These provisions are essential because without them, the gap between large health systems and smaller practices would continue to widen.

Unfortunately, they don’t address the needs of other small medical offices that may struggle to implement the required changes. Hopefully, this will be addressed before the bill is signed into law.

What‘s Next?

The proposed legislation has passed the US Senate Committee on Health, Education, Labor, and Pensions (HELP Committee). suggesting a high likelihood that it will be signed into law.

Historically, organizations can expect a relatively short implementation window, known as the “six-month rule,” after final regulations are published.

This means practices will need to act quickly; waiting is neither viable nor smart.

A Checklist

The following lists the new requirements:

• Implement multifactor authentication across all systems
• Maintain a complete inventory of all devices, software, and vendors
• Ensure encryption of data both at rest and in transit
• Conduct annual penetration testing
• Develop and test an incident response plan
• Invest in ongoing staff training and cybersecurity awareness
• Document, document, document

Some things are easier to implement than others. Don’t wait to get started; start implementing as soon as you can.

These are no longer “best practices.” They are quickly becoming baseline expectations.

In Closing…

The proposed changes represent a new standard.

Promises or policies no longer define healthcare cybersecurity. Today, they are defined by documented, auditable evidence… by proof.

Practices that understand this shift and begin preparing now will not only protect their businesses but also position themselves to thrive in a more demanding regulatory environment.

For Nurse Practitioners and independent practice owners, this is more than a compliance issue; it’s a business imperative.

How can you get started?

We’ll cover what to do and how to start implementing the new requirements in subsequent articles.

And we’ll keep you up to date on changes to the legislation as soon as information becomes available.

How prepared are you should the proposed legislation become law?

Let us know in the comments below…

By Johanna Hofmann, MBA, MAc., EAMP; regular contributor to the NPBusiness blog.

The post Cybersecurity: What Every NP Must Know Part 1 – Overview appeared first on Nurse Practitioners in Business.

But here is the problem …

Most Nurse Practitioner business owners don’t have time to keep up with constant online demands.

And that’s why, between patients, documentation, dealing with staff, and running the business side of the practice, marketing often gets pushed to the bottom of the list.

But finding new patients and maintaining visibility in the community are a must… if you want to stay in business.

So here is the good news…

Marketing doesn’t have to mean endless posting or hiring expensive agencies. One of the most practical and sustainable approaches is content marketing.

When done correctly, content marketing allows you to educate, gain trust, and attract new patients without spending hours every week on plain promotion.

What is Content Marketing?

In his book, “Epic Content Marketing,” Joe Pulizzi gives the following definition:

”Content marketing is the marketing and business process for creating and distributing content to attract, acquire, and engage a clearly defined and understood target audience – with the objective of driving profitable customer action.” 

Content marketing is considered pull marketing, whereas traditional marketing belongs to push marketing.

Here is what that means…

Traditional marketing tends to be louder, announcing to the world: “Come see us and buy our product, ” whereas content marketing takes a subtler approach.

Content marketing is focused on sharing helpful information and answering questions that customers or patients, in the case of your practice, are already asking.

The strategy is to provide information, education, and guidance, thereby positioning the business as a trusted resource.

The ultimate goal is to attract people to the practice and become patients by providing educational and informational content.

Examples of Content Marketing

Common examples of content marketing include:

• Publishing articles on your website
• Sending educational emails to patients on your list
• Posting to social media addressing common health topics
• Creating videos answering frequently asked questions
• Publishing frequently asked questions (FAQs) on the website

All are opportunities to answer the questions people search for online, before scheduling an appointment:

• Why am I always tired?
• How can I lower my blood pressure naturally?
• What are the symptoms of menopause?
• Do I really need vitamin supplements?

The practice that provides clear answers to these questions becomes a trusted resource. And when people need care, they are far more likely to contact the practice that has already helped them than to reach out to one they don’t know.

Why Content Marketing Works Well for NPs

Content marketing is a natural fit with the way NPs were educated and practice medicine; educators by training, working holistically.

For example, much of what happens during an appointment involves explaining conditions and helping patients understand available options.

Think of content marketing as extending that educational role beyond the exam room.

Imagine someone in your community searching online for help with fatigue.

The person comes across an article published by your practice that explains possible causes, when to seek medical evaluation, and which tests may be helpful.

By the time that person schedules an appointment, they already have some level of comfort and trust with your office.

This ability to build credibility, familiarity, and trust is one of the most powerful aspects of content marketing.

The Biggest Mistake Practices Make

When most NPs (and other clinicians) first hear about content marketing, they assume it requires a huge amount of work.

They’re afraid of having to:

• post on social media every day
• create professional videos
• maintain multiple online platforms
• produce constant new material

For most small practices, that’s unrealistic. While marketing efforts start strong, the workload quickly becomes overwhelming and falls by the wayside.

Luckily, though, constant online activity is not required for content marketing. What is required, however, is a simple and consistent system.

A Practical Strategy for A Busy Practice

Your approach to content marketing might involve just a few basic activities each month.

Perhaps you’ll start by posting one or two helpful articles on your website.

Each article should address a question you frequently get asked by patients. These articles don’t need to be overly detailed, complicated, or very long… even 700 or 800 words can cover a topic sufficiently.

Topic examples might include:

• “The benefits of getting vaccinated.”
• “When Is Fatigue More Than Just Being Tired?”
• “Three Reasons Your Blood Pressure May Still Be High.”
• “What Every Woman Should Know About Menopause.”

Keep your writing simple to make it easy to read. Give your article plenty of white space and break it up with subheads so it’s easy to scan.  

Take this article as an example. It has plenty of white space, subheads, and uses simple language, making it easy to consume.

Once your article is written, you can reuse the information in several ways.

• You could send an email to your patient list introducing the topic and linking to the article. This keeps your practice in front of patients and reminds them that you are a valuable resource for their health concerns.
• Next, you might create a few social media posts using key points from the article. The posts might get the attention of new patients and be seen by current patients.

A single article can easily produce several weeks of content, supporting multiple communication channels without creating additional work.

Finding Fresh Content Topics

At this point, you might be worried about coming up with new ideas.

However, it’s unlikely you’d run out of things to write about, since every day in your clinic provides you with fresh ideas.

• Capture the common questions patients ask during visits.
• Note the questions asked about specific health concerns.
• Collect the questions your front desk staff hears repeatedly.
• Compile a list of questions related to insurance.

For example, if several patients ask about vitamin D deficiency, that’s a strong signal that the topic deserves an article.

If patients are confused about hormone therapy or weight management, those questions become perfect candidates for educational posts.

Create a list of frequently asked questions and keep adding to it. Over time, that list becomes your editorial calendar.

Alternatively, you could use AI to help you come up with an extensive list of topics to write about and generate the outlines.

Focus on Helpfulness, Not Perfection

Don’t worry about creating content that’s perfectly written or highly technical.

Anything published must be correct, of course; however, it’s more important that it be helpful rather than written in medical jargon.

Patients are not looking for academic journal articles. They are looking for clear explanations about their health and for answers to their questions.

An article that answers a common question using simple language is far more valuable than one written using hard-to-understand and often confusing medical jargon.

Think of your writing as extending the conversation you have with a patient during an appointment. When talking with patients, you try to keep things simple and avoid using language that most people outside the medical field don’t understand.

Start Small and Stay Consistent

Focusing on content marketing or adding it to your marketing mix does not require a marketing department or a large budget. All it takes is creating useful information and sharing it regularly with patients.

For NP business owners, the most effective approach is simple:

• Write one or more helpful articles each month.
• Share it with patients by email.
• Print the articles for your waiting room reading material.
• Reuse the key points on social media or other channels.
• Reuse your content when giving community talks.

Over time, that simple approach will gradually build a strong online presence, reinforce your reputation as a trusted clinician, and help the right patients find your practice. And… it will improve your website’s visibility in the search engines.

In the end, content marketing is not about constant promotion. It is about education, building trust, and connection.

And for a busy practice, that may be the most natural form of marketing of all.

Already using Content Marketing in your practice? How often do you publish, and do you reuse your content?

Let us know in the comment section below…

By Johanna Hofmann, MBA, MAc., EAMP; regular contributor to the NPBusiness blog and author of “Smart Business Planning for Clinicians.”

The post How to Use Content Marketing to Grow Your Practice appeared first on Nurse Practitioners in Business.