Cybercrime no longer targets only large hospitals or national healthcare systems. Today, small and mid-sized medical equipment services providers are among the most frequent targets — often because attackers assume they have fewer defenses in place.
At the Atlantic Coast Medical Equipment Services Association (ACMESA) Winter Meeting & Exhibit Show, Tech 2 Success shared a clear message: cybersecurity is now a core operational responsibility for DMEPOS organizations, not just an IT concern.
Why Medical Equipment Services Are at Risk
Cybercriminals go where the value is. For medical equipment services providers, that value includes:
- Patient health information (PHI)
- Billing and insurance data
- Medicare and accreditation records
- Employee and vendor credentials
According to FBI data referenced during the session, 75% of cyberattacks target small to mid-sized businesses, and healthcare-adjacent organizations are increasingly in the crosshairs. These attacks are also more targeted than in the past, often designed to cripple operations rather than simply steal data.
Most Attacks Don’t Start with “Hacking”
One of the most important takeaways from the presentation is that many breaches don’t begin with technical exploits. They begin with people.
Common threats affecting medical equipment services providers include:
- Phishing and spear-phishing emails
- Malware hidden in PDFs and Office documents
- Credential theft through weak or reused passwords
- Social engineering designed to create urgency or fear
In fact, 91% of cyberattacks start with a phishing email, and a significant number of recipients open and interact with them — even experienced staff members.
HIPAA vs. Accreditation: Clearing Up the Confusion
Accreditation is essential for most DMEPOS suppliers, but it’s not the same as cybersecurity compliance.
- HIPAA compliance is a federal legal requirement focused on protecting electronic PHI through safeguards, ongoing risk assessments, staff training, and breach notification procedures.
- Accreditation compliance verifies that appropriate policies and documentation exist and are followed during surveys.
The key distinction: accreditation demonstrates compliance at a point in time, while HIPAA requires continuous cybersecurity effort. Both matter, but HIPAA sets the deeper, ongoing standard.
AI Has Changed the Threat Landscape
Artificial intelligence is making cybercrime more convincing and harder to detect.
The session highlighted that:
- AI-generated phishing emails are increasing rapidly
- Employees are using generative AI tools on work devices, often without safeguards
- Company data may be unknowingly shared with external AI platforms
Without clear policies and controls, these behaviors can introduce new compliance and security risks.
Cyber Insurance Helps — But It’s Not Enough
Cyber insurance can assist with recovery costs, legal support, and breach response. However, insurers now closely evaluate a company’s security posture before offering or renewing coverage.
They often review:
- Backup frequency and off-site storage
- Disaster recovery planning
- Password and access controls
- Employee training and offboarding processes
In short, insurance expects prevention, not just reaction.
What Real Prevention Looks Like
Effective cybersecurity requires alignment across technology, process, and people.
Technology
- Professional email systems with multi-factor authentication
- Endpoint protection on all devices
- Regular patching, updates, and tested backups
Process
- Clear password and access policies
- Defined procedures for handling sensitive documents
- Limited network access based on role
People
- Ongoing cybersecurity training
- Overcommunication around suspicious activity
- A designated data security lead
Cybercriminals exploit shortcuts and assumptions. Strong fundamentals dramatically reduce exposure.
Cybersecurity Is a Business Issue — and a Patient Trust Issue
For medical equipment services providers, cybersecurity directly affects patient trust, billing continuity, accreditation standing, and daily operations. It’s no longer something to “get to later.”
A simple first step is understanding your current risk. Knowing where gaps exist allows you to prioritize improvements before an incident forces your hand.
If you’re unsure how prepared your organization really is, a structured cybersecurity self-assessment can help identify risks, clarify next steps, and support both HIPAA and accreditation requirements — without disrupting your day-to-day operations.