How Small Healthcare Organizations Differ from Big Healthcare Providers in Terms of Security

A recent Software Advice survey of healthcare organizations provides observations on healthcare data breaches, their actual causes, and the various security procedures at small and large healthcare companies.

The survey involved 130 small practices with 5 or fewer licensed providers and 129 big practices having six or more providers to know the security problems they face and the steps each group has made to protect against cyberattacks and data breaches. With both groups of healthcare providers, more than 50 percent store over 90% of patient information digitally, for instance, patient records, medical histories, and billing records. Even though digital records are more useful, there is a threat that hackers could acquire access to patient records.

Hackers have a tendency to target bigger practices rather than small practices, depending on the number of reported data breaches. 48% of large healthcare organizations stated they had encountered a data breach previously, and 16% claimed they had experienced a breach in the past 12 months. 23% of small practices had suffered a breach in past times with 5% suffering from a breach in the last year. By far the major cause of data breaches was human error. 46% of small practices and 51% of big practices stated human error was the top reason for data breaches.

23% of small healthcare practices mentioned they had encountered a ransomware attack before, compared to 45% of large practices. 5% of the attacks on small healthcare companies and 12% of attacks on large healthcare organizations happened in the last 12 months. 76% of small practices and 74% of big practices stated they had recovered at least part of their information from backups without making ransom payments, which demonstrates the great importance of having very good backup plans. That is particularly essential as paying the ransom doesn’t ensure the restoration of files. 23% of small practices made ransom payments to restore their files compared to 19% of big healthcare companies, however, 14% of small healthcare organizations stated they failed to retrieve their files after ransom payment.

11% of big practices completely lost their files because of the attack, 7% acknowledged data loss and 4% made ransom payments yet still failed to recover their files. The majority of the healthcare companies didn’t express how much was the ransom payment. Two small practices mentioned they paid approximately $5,000 -$10,000 and two paid roughly $25,000 – $100,000.

To protect against attacks, healthcare companies have put in place a variety of technical safety steps, with the most typical solutions such as firewalls, antivirus software programs, email security options, and data backup technology. Small practices were spending more money compared to large organizations on antivirus solutions, and although such options are crucial, it is likewise critical to spend on email and networks security resources. Bigger companies with more finances were more probable to purchase those resources and be better shielded because of that. Software Advice recommends that smaller healthcare organizations ought to think about lowering spending on antivirus applications and enhancing email and network protection because that could help to avert even more data breaches.

It is critical not to overlook the human aspect of cybersecurity, particularly since many data breaches were ascribed to human error. Giving security awareness training to staff is demanded by the HIPAA Security Rule, nevertheless, it shouldn’t only be a checkbox choice. Frequent security awareness training to train workers on how to identify and prevent threats can significantly minimize the risk of a successful cyberattack however 42% of small practices and 25% of large practices stated they spent under 2 hours on privacy and security awareness training for staff members in 2021.

Two-factor authentication is an essential security measure to avoid the usage of compromised credentials to acquire access to accounts. Microsoft has earlier mentioned that two-factor authentication can prohibit over 99% of programmed attacks on accounts. It is wonderful that 90% of big practices have enforced 2FA somewhat, nevertheless, small practices are a lot less likely to employ 2FA to safeguard their accounts. 22% of small practices stated they haven’t used 2FA yet and 59% just use 2FA on a few programs.

Using all data protection software available is not a wise choice as it results in your vulnerability to other ways of attack or breach, for example, circumstantial exposure or human error. Rather, protect yourself on several fronts, advises Software Advice. That entails training staff members, buying the right security tools to secure data, and creating an action plan to help offset ruin in case of a breach or attack.