7 ways to protect your practice from a cyberattack

A cyberattack is no longer a big-hospital problem. Health care has become one of the most-attacked sectors for ransomware, and the federal breach portal HHS maintains now logs hundreds of large breaches a year, collectively exposing the records of more than a billion people since 2009. Independent practices sit squarely in the blast radius, often because they are seen as softer targets than the health systems around them.

The threat keeps shifting toward the practices least equipped to absorb it. Ransomware groups increasingly hit smaller providers and the vendors that serve them, and a single intrusion can freeze scheduling, billing and clinical systems for days. Health care organizations also spend a fraction of what other industries do on security, which leaves exactly the gap attackers are counting on.

The encouraging part is that the controls that stop most attacks are neither exotic nor expensive, and regulators are about to make several of them mandatory. The proposed overhaul of the HIPAA Security Rule would, for the first time in more than two decades, require safeguards many practices still treat as optional. Here are seven places to start.