AMARILLO, TX – DME suppliers are used to managing complexity—from navigating prior authorization, coordinating deliveries, or keeping up with the latest CMS’s proposed rules. But there is one complex operational threat that is quietly growing and often overlooked: cybersecurity.
As suppliers digitize intake, billing, and patient communication, cybercriminals are taking notice. And with ransomware attacks on healthcare organizations hitting record highs, DME suppliers are no longer flying under the radar.
Why the DME Sector Is Vulnerable
Unlike large hospital systems, most DME suppliers operate with lean IT teams and legacy systems. They handle sensitive patient data, rely on time-sensitive operations, and often lack the resources to build robust digital defenses. That combination makes them prime targets.
Phishing attacks, credential theft, and ransomware are increasingly affecting healthcare-adjacent businesses. In many cases, a breach can begin with a single click, as simple as an employee opening a malicious email or unknowingly sharing login credentials. The consequences can be severe … resulting in locked systems, delayed deliveries, compromised patient data, and costly regulatory fallout.
What HIPAA Requires
The HIPAA Security Rule is not just about having antivirus software. It requires a full risk analysis, documented safeguards, and ongoing staff training. This means knowing where your vulnerabilities are, having a plan to respond to breaches, and ensuring your team understands how to spot threats before they escalate.
For suppliers, this includes securing intake portals, protecting cloud-based documentation, and ensuring that any AI or automation tools used for claims or compliance are HIPAA-compliant and auditable.
Ransomware: The Cost of Inaction
A ransomware attack does not just lock up the DME supplier’s files. It can halt deliveries, delay patient care, and trigger breach notifications. The average cost of a healthcare breach is now over $9 million, and the reputational damage can be even harder from which to recover.
CMS and accrediting bodies are increasingly expecting suppliers to show that they are taking cybersecurity seriously. This includes having incident response plans, using multi-factor authentication, and backing up data in ways that cannot be tampered with.
Building a Culture of Security
Cybersecurity is not just an IT responsibility; the entire team is responsible. From intake coordinators to billing staff, everyone plays a role. That is why regular training, phishing simulations, and clear protocols matter. When staff know what to look for and how to respond, the supplier’s organization becomes more resilient.
And for suppliers using AI tools to streamline documentation and monitor patient adherence, it is critical to ensure those systems are transparent, compliant, and backed by human oversight.
DME suppliers are trusted to deliver care, equipment, and expertise. Protecting patient data is part of that trust. Cybersecurity may not be the flashiest topic, but in today’s digital healthcare landscape, it is one of the most important. And when the Office for Civil Rights comes calling to ensure that the DME supplier is HIPAA compliant, the supplier’s cybersecurity position may be the difference between a clean review and a costly remediation plan.
Jeffrey S. Baird, Esq., is chairman of the Health Care Group at Brown & Fortunato, PC, a law firm based in Texas with a national healthcare practice. He represents pharmacies, infusion companies, HME companies, manufacturers, and other healthcare providers throughout the United States. Mr. Baird is Board Certified in Health Law by the Texas Board of Legal Specialization and can be reached at (806) 345-6320 or [email protected].
Jacque K. Steelman, Esq., is a member of the Health Care Group at Brown & Fortunato, PC, a law firm with a national healthcare practice based in Texas. She represents pharmacies, infusion companies, HME companies, manufacturers, and other healthcare providers throughout the United States. Ms. Steelman can be reached at (972) 684-5789 or [email protected].
