HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Differences Between Small and Large Healthcare Organizations on Security

A recent survey of healthcare providers by Software Advice provides insights into healthcare data breaches, their root causes, and the different security practices at small and large healthcare providers.

The survey was conducted on 130 small practices with 5 or fewer licensed providers and 129 large practices with six or more providers to understand the security issues they face and the measures each group has taken to protect against cyberattacks and data breaches. Across both groups of healthcare providers, more than half store more than 90% of patient data digitally, such as patient records, medical histories, and billing records. While digital records are more efficient, there is a risk that hackers will be able to gain access to patient information.

Hackers tend to target larger practices rather than small practices, based on the number of reported data breaches. 48% of large healthcare providers said they had experienced a data breach in the past, and 16% said they had suffered a breach in the past 12 months. One in four small practices had experienced a breach in the past (23%), with 5% experiencing a breach in the past year. By far the biggest cause of data breaches was human error. 46% of small practices and 51% of large practices said human error was the leading cause of data breaches.

23% of small healthcare practices said they had experienced a ransomware attack in the past, compared to 45% of large practices. 5% of the attacks on small healthcare providers and 12% of attacks on large healthcare providers occurred in the past 12 months. 76% of small practices and 74% of large practices said they were able to recover at least some of their data from backups without paying the ransom, which highlights the importance of having good backup policies. That is especially important as paying the ransom comes with no guarantee that files can be recovered. 23% of small practices paid the ransom to recover their data compared to 19% of large healthcare providers, but 14% of small healthcare providers said they did not recover their data after paying.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

11% of large practices permanently lost their data due to the attack, 7% accepted data loss and 4% paid the ransom but were still unable to recover their data. Most of the healthcare providers did not state how much was paid as a ransom. Two small practices said they paid between $5,000 and $10,000 and two paid between $25,000 and $100,000.

To defend against attacks, healthcare organizations have implemented a range of technical safeguards, with the most common measures being firewalls, antivirus software, email security solutions, and data backup technology. Small practices were investing more money than larger organizations in antivirus technology, and while such solutions are important, it is also important to invest in email and networks security tools. Larger organizations with deeper pockets were more likely to invest in those tools and be better protected as a result. Software Advice suggests that smaller healthcare providers should consider reducing spending on antivirus software and improving email and network security, as that could help to prevent more data breaches.

It is important not to neglect the human element of cybersecurity, especially considering the large number of data breaches that were attributed to human error. Providing security awareness training to employees is a requirement of the HIPAA Security Rule, but it should not just be a checkbox option. Regular security awareness training to teach employees how to recognize and avoid threats can greatly reduce the risk of a successful cyberattack but 42% of small practices and 25% of large practices said they spent no more than 2 hours on privacy and security awareness training for employees in 2021.

2-factor authentication is an important security measure to implement to prevent stolen credentials from being used to access accounts. Microsoft has previously said that 2-factor authentication can block more than 99% of automated attacks on accounts. It is encouraging that 90% of large practices have implemented 2FA to some degree, but small practices are much less likely to use 2FA to protect their accounts. 22% of small practices said they have not implemented 2FA at all and 59% only use 2FA on some applications.

“Paying for every data protection tool available isn’t a wise option as it leaves you vulnerable to other avenues of attack or breach, such as incidental exposure or human error. Instead, remember that you must guard yourself on multiple fronts,” suggests Software Advice. That involves training employees, investing in the right security tools to protect data, and developing an action plan to help mitigate harm in the event of a breach or attack.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.