Small practices face growing cybersecurity burden as federal rules tighten

Small and midsize medical practices across the country are bracing for what could be the most significant overhaul of federal health care cybersecurity rules in more than two decades, and many say they lack the money, staff and expertise to keep up.

The Department of Health and Human Services (HHS) is expected to finalize sweeping updates to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule by May, with an implementation window of 180 days to one year after publication. The proposed changes would eliminate the longstanding distinction between “required” and “addressable” safeguards, making every security control mandatory regardless of a practice’s size or revenue.

Under the updated rule, all covered entities would need to adopt multifactor authentication for system access, encrypt all electronic protected health information, conduct annual security risk assessments, perform regular vulnerability scans and maintain detailed compliance documentation.

For large hospital systems with dedicated IT departments, the requirements represent an expansion of existing protocols. For a two-physician family practice or a solo mental health provider, they represent a sea change.

Many smaller organizations lack dedicated compliance or information security staff, and without the right tools, they struggle to conduct assessments that meet federal expectations. The HIPAA Journal has noted that the HHS Office for Civil Rights has made clear that the size of a practice is irrelevant when it comes to compliance and that smaller providers can no longer expect to fly under the radar.

The urgency behind the changes is clear. In 2024, more than 276 million patient records were compromised in health care data breaches, a 64% jump from the prior year. The Change Healthcare ransomware attack alone affected an estimated 190 million people, making it the largest health care data breach in U.S. history. Health care has held the top spot for breach costs for 14 consecutive years, with the average incident now running about $10 million.

Small practices are not exempt from the fallout. According to HHS enforcement data, in 2022, more than half of the financial penalties imposed by the Office for Civil Rights targeted small medical practices. And the agency has signaled through recent enforcement actions that practice size will not be treated as a mitigating factor.

On Capitol Hill, momentum is building as well. In late February, the Senate Committee on Health, Education, Labor and Pensions voted 22-1 to advance the Health Care Cybersecurity and Resiliency Act. The bipartisan bill would codify many of the proposed rule's requirements, including mandates for multifactor authentication and encryption. It would also create grants for under-resourced practices to improve their defenses and provide cybersecurity training.

Industry groups have urged HHS to consider the financial realities facing smaller providers. Compliance costs for new encryption tools, managed security services, staff training and documentation can quickly climb into the tens of thousands of dollars for practices already operating on thin margins.

Health care cybersecurity consultants recommend that smaller practices start with a comprehensive security risk assessment to identify gaps, then prioritize high-impact controls such as multifactor authentication and data encryption. Working with managed service providers that specialize in health care compliance is another common suggestion, as is taking advantage of free resources published by HHS, including its Cybersecurity Performance Goals.

The clock is ticking. Practices that begin planning now will be better positioned when the final rule takes effect, experts say. Those that wait could face not only regulatory penalties but also the kind of operational disruption that a single ransomware attack can bring.

What your practice can do now

Physicians Practice has published extensive guidance on protecting medical practices from cyber threats. Here are key steps drawn from the site's cybersecurity tips for medical practices and its breach response playbook.

Map how patient data move through your systems. Identify weak points in devices, vendor connections and staff workflows, then document risks and create an action plan. This kind of data flow audit is the foundation of any meaningful security risk assessment.

Enable multifactor authentication (MFA) and enforce strong passwords. MFA should be required for all remote and administrative logins. Pair it with a password manager to generate unique, complex credentials across the practice.

Encrypt everything and back it up. Encrypt laptops, drives and mobile devices, and use secure, encrypted channels for patient communications. Follow the 3-2-1 backup rule: three copies of your data, on two different media types, with one stored offsite. Test restores quarterly to make sure backups actually work.

Train your staff, and keep training them. Conduct phishing simulations and refresher sessions regularly. As one consultant told Physicians Practice, cybersecurity is not something to leave solely to IT. Practice leaders need to set the tone at the top by integrating security into the overall business strategy.

Segment your network. Separate clinical systems from guest Wi-Fi and administrative networks. Limit access using least-privilege permissions so that a breach in one area does not compromise the entire system.

Build and test an incident response plan. Assign roles, define communication steps and run tabletop drills. Include HIPAA breach notification procedures. The practices that respond fastest to an incident are the ones that have rehearsed it, according to Physicians Practice's guidance on breach response.

Vet your vendors. Third-party partners that handle billing, lab integration or telehealth may have access to sensitive patient data. Make sure their security practices are documented in your business associate agreements. As Physicians Practice has reported, over 55% of health care organizations have suffered a third-party breach in the last 12 months.

Stay current on threats. Subscribe to alerts from the Cybersecurity and Infrastructure Security Agency at cisa.gov and follow ongoing coverage from Physicians Practice to keep up with emerging risks and regulatory developments.