Size Doesn’t Matter: Cybervillains Increasingly Target Small Healthcare Organizations

As evidenced by the ongoing and massive fall out from 2024’s Change Healthcare ransomware attack, small healthcare organizations are just as vulnerable to cyberattacks and IT events as their large counterparts—but their more limited resources translate into outsized risk profiles. 

Surging cybersecurity threats don’t discriminate by a healthcare organization’s size, sector, or geographic footprint. In today’s high-risk security environment, an attack in one form or another is all but inevitable—along with the associated compliance issues and financial penalties.  Which is why even small healthcare organizations should undertake a self-audit to identify and address security and cybersecurity vulnerabilities.

A Threatening Environment

The trove of personal health information (PHI) they possess, which fetches rates as high as $60 per medical record on the black market, have put healthcare organizations of all sizes squarely in the crosshairs of hackers and other nefarious actors. Among the most commonly compromised forms of PHI are:

• Personally identifiable information (PII) such as names, social security numbers, and dates of birth
• Medical records
• Insurance information
• Financial data
• Contact information 

As the volume of data held by healthcare organizations surges, so too has the volume of cyberattacks. According to a survey by the Poneman Institute, 92% of participating healthcare organizations experienced at least one cyberattack in 2024 and the average number was 40.

The average cost for the most expensive cyberattack to date was $4.74 million, encompassing direct cash outlays and labor expenditures, indirect labor costs, overhead costs, and lost business opportunities. Disruptions to normal operations due to system availability issues was the most expensive consequence, with a price tag of $1.47 million, followed by user idle time and lost productivity ($995,484) and time required to ensure the impact on patient care was corrected ($853,272).

Nearly 70% of respondents to the Poneman survey reported patient care disruptions from cyberattacks. This included 56% reporting poor outcomes due to delays in tests/procedures, as well as:

• 53% increased complications from procedures.
• 52% increased length of stay.
• 44% increase patient transfers or diversions.
• 28% increase in mortality rates.

Threat Anatomy

In terms of cybersecurity, the five primary vulnerabilities are phishing, ransomware, social engineering, fake software updates, and business email compromise (BEC). Once underway, the average hacking runs for 90 days. During that time, hackers are not only able to plant malicious code, but they can freely explore accessible data and plan new ways to exploit it, as well as determine inroads into connected systems outside the practice.

Despite these realities, 22% of healthcare organizations surveyed by HIMSS reported spending just 3-6% of their IT budget on cybersecurity and just 11% allocated over 10% of their IT budgets to cybersecurity. It is an oversight that can have significant repercussions, both financially and reputationally. Not only can recovery take years, but compromised patient records can be HIPAA violations, exposing organizations to fines ranging from $100-$50,000 per violation.

A Proactive Stance

When it comes to cybersecurity attacks, it is a matter of when not if. While the best way to assess and address vulnerabilities is to call in a cybersecurity professional to perform a comprehensive audit, it is possible to do a self-evaluation by answering a handful of questions in five key areas: 

1. Staff training: is your team trained in cybersecurity best practices, including how to recognize phishing attempts, the need for strong passwords, etc., and is this training updated regularly?
2. Security safeguards: Are security measures in place that minimize human errors (e.g., email filters, browsing restrictions, multi-factor authentication, etc.), particularly around PII access? Are they kept current? 
3. Software patches and updates: Are procedures in place for installing the latest patches and updates to software and systems to protect against emerging threats and harden existing vulnerabilities? Are they followed?
4. Business continuity: Is there a business recovery and continuity plan in place to get operations back up and running in the wake of a breach? Is it regularly reviewed and updated as needed? Are staff aware of the plan and trained in its deployment?
5. Third-party security profiles: Do Business Associates (BAs) and other vendors, partners, and entities that may access the organization’s systems have proper protocols in place to prevent a breach on their end from impacting your operations? (This is particularly important as OCR 2024 figures through November indicate that breaches within BAs involved more than 129 million records compared to 27 million for healthcare providers.)

The answers to these questions will provide a fairly clear picture of any areas of weakness in a healthcare organization’s security profile and framework. Once identified, take action to harden areas of vulnerability against cyberthreats to mitigate risks and ensure the organization is prepared if the worst-case scenario comes to fruition.

One of the first steps should be getting staff members up to speed on security training and ensuring they are adhering to best practices. From there:

• Schedule regular backups of and encrypt all critical data, which should ideally be stored off-site in a HIPAA-compliant facility, and test to ensure they can be restored quickly when needed.
• Schedule regular checks for software and device updates.
• Implement or enhance email, online, and other security measures.

If one does not already exist, put in place an incident response plan outlining steps to take should a breach occur, including how to contain it, assess its impact, and notify affected parties. Be sure the plan encompasses all HIPAA and other compliance requirements. Business continuity should be included in the incident response plan, or a separate plan should be created.

Finally, consider partnering with an IT management firm that has specific experience in healthcare cybersecurity. It should offer at minimum proactive monitoring, regular security assessments, and staff training, and that has a deep understanding of HIPAA and other compliance requirements. During the evaluation process, be sure to ask prospects about their response times and disaster recovery capabilities and obtain—and check—references.

Be prepared

It is only a matter of time before a healthcare organization is hit by a cybersecurity breach of some kind, regardless of size. The information they hold is simply too valuable a target for hackers to resist. However, the fall-out can be minimized by hardening technology and establishing security and recovery protocols. Doing so allows the organization to continue providing quality patient care with minimal disruptions.