Cybersecurity in Rheumatology: Staying Ahead of Threats in a Digital Age

Have you received a text recently for unpaid tolls or traffic violations?  They sound scary, but are not real! Cybersecurity is no longer just an IT concern—it’s a frontline issue for every medical practice, particularly in specialty fields like rheumatology. As we continue to embrace digital systems for billing, records, and patient communication, the risk of cyberattacks, fraud, and HIPAA violations grows. Practice managers must stay vigilant and proactive, because the consequences of poor cybersecurity can include data breaches, lost revenue, patient harm, and legal exposure.

Why Cybersecurity Matters for Rheumatology Practices

Rheumatology practices handle complex billing and sensitive clinical information, including infusion therapies and long-term treatment plans. These make your systems a prime target for cybercriminals looking to exploit healthcare data for profit. What’s more, smaller practices are especially vulnerable because they may lack dedicated IT security teams or robust protocols.

Real-World Threats and the High Cost of Inaction

According to a 2023 report from the U.S. Department of Justice, a nationwide healthcare fraud takedown led to 324 individuals charged in schemes involving over $1.4 billion in false billing, much of it tied to identity theft, fraudulent Medicare claims, and telehealth fraud. In many of these cases, the starting point was a basic cybersecurity lapse—like opening a malicious email or failing to verify a suspicious communication.

Emerging Threat: Fax Scams and Fraudulent Documents

One under-recognized threat in rheumatology practice management is fax-based fraud. While faxing may seem old-fashioned, it remains widely used in healthcare due to regulatory habits and legacy systems. Unfortunately, that makes it a backdoor for bad actors.

In some recent cases, patients or individuals impersonating patients and insurance companies have sent fraudulent faxes to practices—requesting medication refills, claiming identity theft, or submitting forged medical records request forms. These faxes often include fabricated documents with stolen or altered PHI. When staff act on these faxes without verification, they risk:

  • Legal and Financial Penalties: Violations of HIPAA can result in hefty fines, lawsuits, and regulatory action.
  • Loss of Patient Trust and Reputation Damage: Patients may lose confidence in the medical office’s ability to protect their privacy, leading to loss of clientele and long-term damage to the organization’s public image.
  • Operational Disruption and Recovery Costs: Responding to a cyber scam could involve substantial downtime, extensi
  • ve investigations, and system upgrades to implement stronger cybersecurity measures.

To stay compliant, practices must treat all inbound faxes with the same scrutiny as digital communications. Verification protocols, staff training, and secure document handling are critical.

Recently CMS sent out an Alert: Medicare Fraud Scheme Involving Phishing Request Via Fax and Other Means (https://www.cms.gov/fraud) warning of such scams.

 Top Cybersecurity Risks in Medical Practices

  1. Phishing Scams: Email scams impersonating government agencies, insurance companies, patients, or vendors remain the #1 entry point for cyberattacks.
  2. Ransomware: Criminals encrypt your practice’s files and demand payment to restore them, often targeting practices with poor backups.
  3. Insider Threats: Internal staff can inadvertently or intentionally cause breaches by mishandling data or accessing it inappropriately.
  4. Fax Fraud: Forged or manipulated patient faxes can be used to steal services, commit fraud, or harvest PHI for resale.

How Practice Managers Can Protect Their Teams and Patients

  1. Verify All Patient Communications: Especially when received by fax. Always confirm unusual requests by phone or secure portal.  Insist on patient signatures on all communications and compare to your patient’s signature on file.
  2. Implement Multi-Factor Authentication (MFA): Require two-step verification for all logins to EHR or billing systems.
  3. Encrypt All Digital and Faxed Data: Use secure e-fax services that store transmissions in encrypted environments.
  4. Train Staff Frequently: Offer regular cybersecurity training, including how to identify phishing emails and fraudulent documents.
  5. Audit and Report Fraud: If you suspect a Medicare fraud attempt, report it to the appropriate authorities. Visit Medicare.gov to file a report or learn more.

Final Thoughts: Stay Proactive, Not Reactive

Rheumatology practices face unique cybersecurity threats due to the nature of chronic care and high-value treatments. Fax scams, phishing, and data breaches aren’t just IT problems—they are practice management issues that can damage reputations, trigger audits, and harm patients.

By staying informed and building a culture of security and compliance, practice managers can safeguard their operations, protect patient data, and prevent fraud before it happens.


Looking for More Guidance?
NORM offers ongoing education and sessions on healthcare compliance, cybersecurity, and fraud prevention tailored for rheumatology managers. Stay connected and keep your practice protected. See our quick guide below!

alt32

Tags: , , , , , Posted by
  • As a speaker at the first ad hoc meeting of rheumatology practice managers gathered in a single small room at its infancy a decade ago, I’m amazed to see how NORM has blossomed into a high energy organization of depth and professional meetings with parallel break-out symposia between plenary sessions. NORM has truly come of age. This is where the “business” of rheumatology gets learned. The ”guildmanship” for rheumatology practice management is now strong.- Paul H. Caldron, DO, FACP, FACR, MBA, Arizona Arthritis and Rheumatology Associates
  • In a time of demanding changes in the management of medical practices in the US, NORM has been a lifesaver to the community of Rheumatology practices.  NORM has allowed our practice to stay ahead of the many demands of CMS and others payors and has ensured that our practice remains cognizant of new issues that arise in HIPPA compliance, human resources and medical billing to name a few. Sending our Practice Manager to NORM's conferences has been cost-effective and beneficial to our practice because she returns to our office with an abundance of information that otherwise would have taken months to compile. Every Rheumatology practice that wishes to stay on top of emerging issues in practice management should consider sending a member of their staff to NORM's conference.- Michael S. Rosen M.D., Chester County Rheumatology PC
  • Thanks to all those wonderful people in the NORM Network who respond to emails, offering their advice, experience, time, and support ... I haven't even been a member a full year yet and I am amazed at the dedication of everyone who responds to helping via emails and the NORM Organization itself! I have barely had a chance to explore the resources and I have yet to really dive into requests for help still I am silently learning so much and do occasionally offer what I can! Thank you all!- Cheryl Piambino, Kenneth E. Bresky, DO

What We Offer

We’re adding value to practices across the nation by creating a thriving community of rheumatology managers and physicians.

Membership Benefits

Become a Member

Annual Conference

Conference Registration