Why Healthcare Is a Target
There is a insistent belief among small practice owners that attackers only go after hospitals and health systems. That belief is wrong, and it is dangerous.
Attackers target small practices for the same reason burglars prefer houses without alarm systems or large dogs. A five-physician orthopedic group and a 400-bed hospital hold the same type of data: Social Security numbers, insurance billing records, dates of birth, diagnostic codes, and payment information. A complete medical record sells for more on the dark web than a credit card number because a credit card can be canceled in minutes, but a medical identity can be exploited for years. The difference is that the hospital has a security operations center, a CISO, and a seven-figure security budget. The orthopedic group has an overworked office manager who also juggles IT.
The numbers bear this out. The FBI's Internet Crime Complaint Center received 238 ransomware complaints and 206 data breach reports from healthcare and public health sector organizations in 2024 alone. The Verizon 2025 Data Breach Investigations Report analyzed 1,710 security incidents and 1,542 confirmed breaches in healthcare, with 67% attributed to external attackers and 30% to insiders. The financial motive drove 90% of attacks. And the one finding that should keep every practice administrator awake is that ransomware was present in 88% of breaches at small and mid-sized businesses across all industries. Healthcare SMBs are no exception to that trend.
If you run a medical practice, dental office, behavioral health clinic, physical therapy group, or any organization that touches protected health information, you are a target. It's not because someone is specifically after you, it's because you fit a profile that works.
Threat #1: Ransomware
What It Is
Ransomware is software that encrypts your files so you cannot access them, then demands payment (usually in cryptocurrency) to unlock them. In a medical practice, this typically means your EHR goes dark, your scheduling system stops, your billing freezes, and your staff cannot access patient records. You are functionally shut down.
What It Looks Like When It Happens
Here is a scenario that plays out regularly and is closer to reality than most practice owners realize.
It is a Tuesday morning at a four-provider family medicine practice. The front desk opens the EHR and an error pops up. The practice manager tries from her workstation and gets the same thing. Someone walks back to the server closet and finds a text file on the screen: "Your files have been encrypted. Pay 4.5 Bitcoin to the following address within 72 hours or your data will be published." That is roughly $350,000 at current prices. The practice has 11 employees, annual revenue around $2 million, and no incident response plan.
What happens next is worse than the ransom itself. Patients cannot be seen because the practice cannot access their records, medication lists, or allergy information. Appointments for the day are canceled. The practice manager calls their IT person, who says he has never dealt with ransomware before. Someone suggests calling the FBI. Someone else suggests just paying. Nobody knows which option is right.
I have seen variations of this scenario at practices ranging from medical device companies to mid-sized specialty groups. The attackers do not care about your specialty. They care that you will pay because you cannot function without your data.
How It Gets In
Ransomware enters healthcare practices through a handful of predictable paths:
Phishing emails are the most common. An employee clicks a link or opens an attachment that installs malware. The malware sits quietly for days or weeks, mapping the network and identifying backup locations, before deploying the encryption payload. This delay is deliberate. The attackers want to make sure your backups are compromised before they lock you out.
Remote Desktop Protocol (RDP) exposed to the internet is the second most common. If your IT setup allows remote access to workstations or servers through RDP without a VPN and MFA, you are leaving a door open that automated scanning tools find in minutes. During COVID, many practices set up remote access quickly and haven't looked back since.
Unpatched VPN appliances and edge devices accounted for a growing share of attacks in 2024. The Verizon DBIR found that exploitation of vulnerabilities surged 34%, with zero-day attacks on VPNs and edge devices making up 22% of all vulnerability exploitation, up from 3% the year before. If your practice uses a firewall or VPN appliance that has not been updated in the last 90 days, this is your risk.
What It Costs
The median ransom payment dropped to $115,000 in 2024 according to the Verizon DBIR, and 64% of victims did not pay. But the ransom is not the real cost. The real cost is the downtime, the HIPAA breach notification process, the lost patients, and the potential OCR investigation.
A small practice that is offline for two weeks loses revenue, pays for emergency IT services, potentially pays for credit monitoring for affected patients, and faces the administrative burden of notifying HHS and every affected individual. The Change Healthcare ransomware attack in 2024 disrupted claims processing for thousands of practices nationwide, and the eventual ransom payment was $22 million. Your practice does not need to be the direct target to feel the impact of a healthcare ransomware event.
What Stops It
These aren't aspirational recommendations, but tested controls that actually prevent ransomware from succeeding:
Offline backups tested monthly. Your backups need to be disconnected from your network so ransomware cannot encrypt them. And you need to test restoring from them regularly. A backup you have never tested is not a backup. It is a hope and hope is not a strategy. (See: Data Backup and Recovery in the Controls Library)
MFA on every account that accesses your systems remotely. This includes your EHR, your email, your VPN, and any remote desktop connections. MFA stops the credential theft that precedes most ransomware deployments. (See: Multi-Factor Authentication in the Controls Library)
Patch your edge devices. Your firewall, VPN appliance, and any internet-facing equipment need to be updated within 48 hours of a critical patch release. If your IT provider does not do this automatically, ask them why. (See: Patch Management in the Controls Library)
Endpoint detection and response (EDR) on every workstation. Traditional antivirus is not sufficient anymore. Modern EDR tools monitor behavior and establish a user's baseline to better detect ransomware deployment in progress, often stopping encryption before it completes. (See: Endpoint Protection in the Controls Library)
What Your Insurance Carrier Will Ask
Every cyber insurance application for a healthcare practice will ask whether you have MFA enabled for remote access, whether you maintain offline backups, whether you have an incident response plan, and whether you use EDR. If the answer to any of these is no, you will either be denied coverage or your premium will reflect the risk. Carriers are rejecting approximately 41% of first-time SMB applications, and the most common reason is a missing MFA or EDR control.
Threat #2: Phishing
What It Is
Phishing is a fraudulent message, almost always an email, designed to trick someone into clicking a link, opening an attachment, or providing credentials. It is the most reported crime to the FBI, with 193,407 complaints in 2024, more than double the next category.
What It Looks Like in Healthcare
In a medical practice, phishing attacks tend to target three roles: the billing coordinator, the practice manager, and the physician.
The billing coordinator gets an email that appears to be from a major insurance payer with an "updated remittance advice" attached as a PDF. The PDF either contains malware or links to a credential harvesting page that mimics the payer's login portal. Once the attacker has the billing coordinator's credentials, they can access the payer portal, redirect payments, or use that foothold to move deeper into the practice's network.
The practice manager gets an email that appears to be from the EHR vendor about a mandatory security update. The link goes to a page that looks identical to the EHR login screen. The practice manager enters her credentials, which now belong to the attacker.
The physician gets an email from what appears to be a colleague at a referring practice, with a shared patient document attached. The attachment is a weaponized Word file.
I worked with a practice where the billing manager received an email that looked exactly like a routine Availity login notification. She entered her credentials on the spoofed page. Within a few hours, the attacker had submitted three weeks of claims to a different bank account. The practice did not discover the redirection for 22 days. The total loss was over $40,000, and the insurance payer took the position that the practice was responsible because the compromise originated on their end.
How It Gets In
Phishing works because it exploits trust and routine. A billing coordinator who processes insurance remittances every day is not going to scrutinize every email from Humana. A practice manager who gets regular emails from the EHR vendor is not going to hover over every link to check the URL. Attackers know this and design their messages to blend into the daily workflow.
The technical defenses matter (email filtering, DMARC, SPF records), but the human element is where phishing succeeds or fails. The 2025 Verizon DBIR found that 60% of people who fell for phishing emails clicked within the first hour of receiving them, and the median time to click was under 30 seconds. People are not failing because they are careless. They are failing because the emails are good and the pace of a medical office does not allow for careful inspection of every message.
What Stops It
Security awareness training that is specific to your practice. Generic "don't click suspicious links" training does not work. Training that shows your billing staff a fake Compass login page, or your front desk a fake patient portal notification, works. Run simulated phishing tests quarterly. (See: Security Awareness Training in the Controls Library)
Email filtering with attachment sandboxing. Your email provider should be scanning attachments in a virtual environment before delivering them. The best at this is Mimecast, but Google Workspace and Microsoft 365 both offer this on higher-tier plans. (See: Email Security in the Controls Library)
DMARC, SPF, and DKIM configured on your domain. These email authentication protocols prevent attackers from sending emails that appear to come from your practice's domain. If you have not configured these, someone can send an email that appears to be from your office to your patients, your payers, or your staff. (See: Email Security in the Controls Library)
What Your Insurance Carrier Will Ask
Carriers will ask whether you conduct security awareness training, how frequently, and whether you run simulated phishing campaigns. They will also ask whether you have MFA on your email accounts. A practice that answers "no" to both is telling the carrier that the most common attack vector in cybercrime has a clear path into the organization.
Threat #3: Insider Threat
What It Is
An insider threat is a security risk that comes from within the organization. It can be malicious (a disgruntled employee stealing patient data) or accidental (a well-meaning staff member emailing a spreadsheet of patient information to the wrong address). In healthcare, both types create HIPAA exposure.
What It Looks Like in Healthcare
The Verizon DBIR attributed 30% of healthcare breaches to insiders, which is significantly higher than most other industries. This is not because healthcare employees are inherently less trustworthy, it's because healthcare workflows require broad access to sensitive data, and the controls around that access are often weak.
Here is one I read about that sticks with me. A specialty practice had a medical records clerk who had been with the practice for nine years. She was trusted, well-liked, and had access to every patient record in the system. After a dispute with management over scheduling, she downloaded a spreadsheet containing the names, dates of birth, Social Security numbers, and insurance information of approximately 3,200 patients onto a personal USB drive. She did not do anything with the data immediately. The practice discovered the download six weeks later during a routine access log review that their new compliance officer had implemented. By then, the employee had resigned.
The practice had to notify 3,200 patients, report the breach to HHS, and deal with the reputational fallout in a small community where word travels fast. The entire incident could have been prevented with USB port restrictions and a data loss prevention policy.
The accidental version is more common and almost as costly. A front desk employee emails a patient's insurance verification form to the wrong fax-to-email address. A medical assistant forwards a lab result to a patient's family member without confirming authorization. A billing coordinator uploads a batch file to a shared Dropbox folder that a former contractor still has access to. None of these people intended to cause a breach, yet all of them did.
What Stops It
Role-based access controls in your EHR. Every staff member should have access to only the patient records they need for their specific job function. The front desk does not need access to clinical notes. The billing department does not need access to psychotherapy notes. Configure your EHR permissions to enforce this. (See: Access Control Management in the Controls Library)
Audit logging reviewed monthly. Your EHR should log every access to every patient record. Someone should be reviewing those logs for anomalies: after-hours access, bulk record views, access to records of patients not on the schedule. (See: Audit Logging in the Controls Library)
Offboarding procedures that actually work. When an employee leaves, their access to the EHR, email, payer portals, and any shared drives should be terminated the same day. Not the same week. The same day. I have seen practices where former employees retained access to patient records for months after departure because nobody updated the credentials. (See: Account Management in the Controls Library)
USB and removable media restrictions. Most modern endpoint management tools can disable USB ports or restrict them to approved devices. For a medical practice, there is rarely a legitimate reason for an employee to copy patient data to a personal USB drive. (See: Removable Media Controls in the Controls Library)
Threat #4: Vendor and Third-Party Risk
What It Is
Vendor risk is the security exposure that comes from the other companies your practice depends on: your EHR vendor, your billing clearinghouse, your IT managed service provider, your cloud storage provider, your shredding company. If any of these vendors is compromised, your patient data may be exposed even though your own systems were never breached.
What It Looks Like in Healthcare
The 2025 Verizon DBIR found that third-party involvement in breaches doubled year over year, from 15% to 30%. In healthcare, this trend is especially concerning because the vendor ecosystem is large and the BAA compliance chain is only as strong as its weakest link.
The Change Healthcare ransomware attack in February 2024 is the most visible example. Change Healthcare processes approximately 15 billion healthcare transactions annually, touching an estimated one in three patient records in the United States. When the attack took down their claims processing infrastructure, thousands of practices across the country could not submit claims, receive payments, or verify patient eligibility. Practices that had no direct relationship with Change Healthcare were affected because their clearinghouse or their payer depended on Change Healthcare's systems. The breach exposed the protected health information of approximately 100 million individuals and resulted in a $22 million ransom payment.
Your practice did not need to have weak security for this to hurt you. You just needed to be connected to the healthcare ecosystem, which you are.
On a smaller scale, I have seen practices affected by IT provider compromises where the MSP's remote management tool was breached, giving attackers access to every client the MSP served. One compromised MSP can mean 40 or 50 small practices are exposed simultaneously. The attacker does not need to target each practice individually. They target the one vendor that connects to all of them.
What Stops It
Know who has access to your data and under what terms. Maintain a list of every vendor that touches patient data or has access to your systems. This includes your EHR vendor, your IT provider, your billing service, your cloud storage, and your document shredding company. (See: Vendor Risk Management in the Controls Library)
Require a BAA from every vendor that handles PHI. This is not optional under HIPAA. If a vendor will not sign a BAA, they should not have access to your patient data. Period.
Ask your IT provider how they secure their own systems. If your MSP uses a remote monitoring and management tool to access your workstations, ask them what MFA they use on that tool, whether they have a SOC 2 report, and what their incident response plan looks like if they are breached. If they cannot answer these questions clearly, that is information you need.
Have a plan for vendor outages. The Change Healthcare incident proved that even well-run practices can be paralyzed by a vendor failure. Can your practice operate for two weeks if your clearinghouse goes down? If your EHR is cloud-based and the vendor has an outage, do you have paper-based fallback procedures? (See: Business Continuity Planning in the Controls Library)
Threat #5: Business Email Compromise (BEC)
What It Is
BEC is a targeted attack where an attacker impersonates a trusted person, usually via email, to trick someone into sending money or sensitive information. Unlike phishing, which casts a wide net, BEC is researched and specific. The attacker knows who the practice manager is, who the physicians are, and how the practice communicates.
What It Looks Like in Healthcare
BEC caused $2.77 billion in losses in 2024 according to the FBI. In healthcare, BEC typically targets the person who handles accounts payable.
The attack often starts with a compromised email account, either yours or someone you work with. The attacker monitors email conversations to understand payment patterns, vendor relationships, and communication style. When the timing is right, they insert themselves into a thread and redirect a payment.
For a medical practice, this might look like an email from what appears to be your medical equipment supplier with "updated bank information for future payments." The email thread looks legitimate because it was extracted from a real conversation. The practice manager updates the payment information and sends next month's lease payment to an account controlled by the attacker.
In another common scenario, the attacker compromises a physician's email account and sends a request to the practice manager: "I need you to process a wire transfer for a conference registration. Here is the payment information. Please handle this today, I am in clinic and cannot do it myself." The practice manager knows the physician is in clinic and cannot be interrupted so she processes the payment without a second thought.
What Stops It
Verification procedures for any payment change or wire transfer. Any request to change payment information for a vendor, and any wire transfer request, should be verified by a phone call to a known number (not the number in the email). This is a policy, not a technology. You have to write it down, present it, and enforce it. (See: Financial Controls in the Controls Library)
MFA on all email accounts. If an attacker cannot get into your email, they cannot monitor your conversations, extract vendor information, or impersonate you. This is the single most effective technical control against BEC.
Email forwarding rules reviewed regularly. Attackers who compromise an email account often set up forwarding rules that send copies of all incoming mail to an external address. Check your email forwarding rules monthly. (See: Email Security in the Controls Library)
How Healthcare Is Different: The Regulatory Context
Everything above applies to businesses in every industry. What makes healthcare different is HIPAA.
When a law firm has a data breach, they face reputational damage, potential malpractice claims, and client attrition. When a medical practice has a data breach involving PHI, they face all of that plus mandatory breach notification to HHS and every affected individual, potential investigation by the Office for Civil Rights, and civil monetary penalties that range from $100 to $50,000 per violation, with an annual maximum of $2,067,813 per violation category.
The HIPAA Security Rule requires administrative, physical, and technical safeguards for electronic PHI. Most of the controls described on this page are either explicitly required or strongly implied by the Security Rule. Implementing them is not just good security practice. It is a legal obligation.
The proposed January 2025 HIPAA Security Rule changes would eliminate the "addressable" designation for several controls (including encryption and MFA), making them mandatory rather than risk-dependent. If those changes are finalized, practices that have been treating MFA and encryption as optional will need to comply or face enforcement.
For a plain-English walkthrough of what HIPAA requires from your practice, see our HIPAA Compliance Checklist.
Take the Next Step
This page gives you the picture. Our free cybersecurity assessment tells you where your practice specifically stands against each of these threats.