eugenesergeev - Fotolia


Five reasons small medical practices are vulnerable to cyberattacks

Small medical practices are often targeted by cybercriminals due to weak security practices, such as the lack of security maturity and nonstandardized regulatory requirements.

The rise in cyberattacks in the healthcare industry and HIPAA audits by the Office of Civil Rights are raising concerns for healthcare organizations. Readiness factors vary from group to group, but most fear the possibility of a data breach or an audit since either can lead to serious legal and financial penalties. Small medical practices are often more vulnerable than others and likely to fall victim to damaging security breaches if they don't take the appropriate steps to protect their IT environment.

There are several security practices IT can put in place to mitigate the risks associated with data breaches, hacks and ransomware infections. These solutions include security software applications, firewalls and offering end-user training to ensure that the environment is well protected. However, not everyone is on board with that approach, and many small medical practices across the U.S. are still vulnerable and targeted by cybercriminals due to weak security practices. There are five key reasons why they are likely to be more vulnerable than most when it comes to cyberattacks.

Small organizations often lack security expertise

In most cases, the security resources for small medical practices are limited. The practice's general IT support tends to be outsourced to a local IT vendor that may not specialize in healthcare, does not offer robust and advanced security services, and likely does not have dedicated security staff and compliance officers. This lack of basic security safeguards within the practice leaves many groups vulnerable.

Costly security products and services burden small physician groups

When security experts outline what needs to go into protecting a healthcare IT environment, the list tends to include items such as an intrusion detection or intrusion prevention system, and antivirus and email filtering services. A lengthy list of services and products can be costly and add extra steps for care providers when they interact with the system. This becomes a major obstacle for smaller practices as they consider securing their environment, and many will settle for only a handful of basic protections that leave them open to more advanced risks.

Nonstandardized security requirements

HIPAA offers a set of security practices and criteria, and any entity that interacts with or stores patient health records must follow its guidelines. However, for many years HIPAA requirements were left to IT to interpret what technology tools and standards must be put in place. That left room for many to adopt security practices based on they believed was adequate and met the regulatory requirements. That also meant that standards of protections varied from group to group, leaving some of them with high risks. The Office of the National Coordinator for Health Information Technology has begun actively working toward providing more guidance around privacy and security practices and offers a number of resources for healthcare providers on its website.

IT security maturity, or lack thereof

Shrinking IT budgets are driving some health groups to look for IT service providers that are more cost-effective. That can lead to choosing one vendor over another simply due to its lower price, even if it means that the first vendor is more qualified and offers a better security practice. The level of security maturity varies greatly in IT vendors, and in many cases the cheapest option is usually the one that may not include the right security practices.

Risks assessments are not always performed

The HIPAA Security Rule mandates risk assessments, but many small medical practices fail to perform those assessments despite their availability online. Risk assessments offer a baseline of what general risks the practice faces from a technology perspective. Gaps identified during the assessment would encourage IT to make improvements to the overall security of the environment. Since these assessments tend to be checked off the list, the conversation around the impact of security and what risks it puts on the practice are never fully discussed and that leaves the practice more vulnerable in the long run.

With the increase of reported data breaches, more small practices will begin to ask their IT providers about their current security practice. Fortunately, there are several security tools available to them that are not as complex or costly as seen in previous years. The understanding that proper security practices in a healthcare organization is a must and not a "nice to have," combined with the increase in HIPAA audit occurrences, mean things will change for the better and data protections will improve and keep cyberattackers from stealing and damaging patient data.

Next Steps

Security tops health IT spending priorities

How to prevent healthcare cybersecurity attacks

Standards are necessary to secure healthcare information systems

Dig Deeper on Electronic medical records security and data loss prevention