Cybersecurity News

Small Healthcare Practices More Vulnerable to Data Breaches, Cyberattacks

Just Under 50 percent of small healthcare organizations and 15 percent of large practices reported not having a plan of action in the event of a data breach, a survey found.

Source: Getty Images

By Jill McKeon

- Over 20 percent of small healthcare organizations surveyed by Software Advice reported experiencing a data breach. However, 46 percent of those breaches could be blamed on human error. The survey results revealed that as healthcare cyberattacks and data breaches increase, too many healthcare organizations remain unprepared.

The survey also found that 42 percent of small practices and 25 percent of large practices spent no more than two hours on data privacy and security training in 2021. Meanwhile, a third of large practices reported experiencing a data breach within the last three years, and 51 percent of those breaches were caused by human error.

Software Advice defined a small healthcare organization as a practice with five or fewer licensed providers. Large practices had six or more providers.

“Technology is an incredible tool that has improved the quality of medical care delivered and even saved lives. But increased adoption does have a downside: namely, the vulnerability it creates for sensitive data and increased risk of things like identity theft and credit fraud for patients and ransomware attacks for practices,” the report stated.

“This is exactly why every healthcare provider that deals in patient data—meaning all of them—must take certain precautions when it comes to protecting their data.”

Almost half of all respondents said that 90 percent of their data was stored digitally, including financial information and protected health information (PHI).

Despite healthcare’s increasing reliance on digital data storage and an uptick in healthcare data breaches and cyberattacks, 49 percent of small organizations and 15 percent of large organizations admitted that they did not have a codified plan of action in the event of a breach.

The HIPAA Security Rule requires organizations to implement an incident response plan and conduct employee security and privacy training regularly.

On a positive note, the majority of surveyed organizations reported that they had never experienced a ransomware attack. However, ransomware tactics and targets are evolving fast, and groups like Conti continue to make their presence known as a threat group targeting healthcare.

To prepare for and defend against potential ransomware attacks, surveyed organizations implemented a variety of technical safeguards. Antivirus software, firewalls, data backups, and email security technology were among the most popular technical safeguards.

“More small practices are spending money on antivirus software than large ones, which means small practices may want to reduce budget in this area to shift funds to the tools that larger practices are more heavily invested in, such as email security and network security software,” the report noted.

The report indicated that small healthcare organizations were more vulnerable to data breaches and cyberattacks for a variety of reasons. But if budget is a concern, small healthcare organizations should consider focusing their limited resources on training employees and creating a culture of cybersecurity within their practice, rather than implementing the latest and greatest technologies.

“Throwing money at the problem of data security is certainly one way to address it, but it’s not the most effective (or even the smartest) option,” the report advised.

“Paying for every data protection tool available isn’t a wise option as it leaves you vulnerable to other avenues of attack or breach, such as incidental exposure or human error.”

Instead, organizations should invest in the right security tools for their organization, train employees to prevent human error, and develop an incident response plan to minimize damage in the event of an attack.