Ransomware is targeting vulnerable, smaller clinics

Ransomware doesn’t care about the size of your healthcare facility. While we’ve heard about a lot of attacks recently against large hospitals, that doesn’t mean cyberattackers aren’t also going after smaller clinics.

READ ABOUT: The largest medical cyberattack in U.S. history?

The H1 2022 Healthcare Data Breach report illustrates that hackers target smaller businesses as much as (if not more than) larger institutions. Especially with ransomware. Because of this, email security should be a top priority to safeguard patients and their protected health information (PHI). And it’s also important for organizations to comply with HIPAA by employing robust cybersecurity features like HIPAA compliant email.

Small clinics: big cybercrime targets with little security

Small and midsize businesses (labeled as SMBs) are known for fewer employees, less revenue and reduced budgets. A “small” business typically has up to 100 employees and generally less than $50 million in annual revenue. A “midsize” business has between 100-999 employees and between $50 million to $1 billion in annual revenue.

Research from the Cyber Readiness Institute demonstrates that a business’ perception of cybersecurity importance depends on its size. In fact, some SMBs think they are too small to be attacked. They are, therefore, less apprehensive about and less prepared for a cyberattack. But the numbers don’t lie. 2022 NordLocker research found that SMBs make up 58.8% of ransomware attacks.

John Delano, Healthcare Cybersecurity Strategist at Critical Insight, who released the H1 report, stated:

“Attackers are continuing to push the envelope . . . [t]his move from large hospital systems and payers to smaller entities that truly have a deficit when it comes to cyber defenses, shows a massive change in victims and approach. As we continue into 2022, we anticipate attackers to continue to focus on these smaller entities for ease of attack, but also for evasion of media attention and escalation with law enforcement.”

Why the lack of strong cybersecurity?

Given healthcare’s continuously tired, stressed staff, hackers know that ransomware and email schemes work. And smaller organizations are continuously the victims. A big part of this is the lack of strong cybersecurity, though this is not the only reason hackers target SMBs.

LEARN MORE: The top five security vulnerabilities of SMBs

First, smaller healthcare organizations have desirable sensitive data (i.e., PHI) just like larger institutions. The difference: PHI is easier to steal from a small versus large organization due to a lack of security preparedness and is still as valuable. This leads to the second reason hackers target small clinics. Reports show that these organizations are more likely to pay a ransom to recover data. Especially when faced with the choice of either paying a quick ransom payment or suffering long-term costs and shutdown services.

Finally, smaller organizations are sometimes stepping stones to higher-profile targets. We know that large hospitals use business associates for smaller tasks such as claims processing or data analysis. And we know that some health systems include smaller clinics along with major hospitals. Their vulnerabilities become larger institutions’ vulnerabilities quickly. Given all this, SMBs look more and more attractive to hackers every day.

Ransomware and its effect on small businesses

Ransomware is malicious software (included with phishing emails) that holds data hostage until someone pays a ransom to release it. It cripples healthcare organizations and makes it hard for them to access patients’ PHI and provide proper patient care. And it is far more common in healthcare than you think.

RELATED: Why is healthcare a juicy target for cybercrime?

For smaller organizations, the lack of resources makes them more vulnerable to ransomware attacks. And affording cybersecurity can be as impossible as affording a cyberattack and everything that comes with it. But when a victim unknowingly clicks on a link or attachment, malware can encrypt data or create a backdoor for cybercriminals to copy data.

However, system issues and locked or copied PHI are not the only problems. Any downtime leads to lost revenue, angry patients and even patient death in some cases. During the first half of 2022, the average cost of small business cyberattack claims was $139,000, 58% higher than the first half of 2021.

There is also a ransom payment to deal with and a possible HIPAA violation. Ransomware strikes smaller organizations especially hard since disruptions in care can put patients’ lives in danger. Therefore, they are more likely to comply with ransom demands.

Think before paying a cyberattack ransom

A Coveware report on 2021 ransomware attacks highlights a shift in tactics by hackers. They are looking for organizations that can pay a ransom but are too small to have high operating costs. The report confirms that companies with 11 to 100 employees make up a large proportion of overall victims.

But as we and experts repeat, paying a ransom does not necessarily help.

RELATED: To pay or to not pay for stolen data

This is because your data may not necessarily be unlocked after payment. Once you pay the ransom, the best-case scenario is that the cyberattacker provides a decryption key to restore data access. But sometimes, there’s no guarantee that this will happen. In some cases, the threat actor may even demand more money. Or they may share your information on the dark web, which can open you up to further attack.

Moreover, these shifting tactics show hackers that cyber extortion works, which means more businesses will suffer these attacks.

Most important: stop ransomware from finding you

Unfortunately, the U.S. Office for Civil Rights is facing an overflowing caseload of ransomware incidents and other healthcare cybersecurity threats. So it is important to stop ransomware before becoming a statistic.

WATCH THE VIDEO: HIPAA compliance basics for small healthcare providers

Six steps for small businesses to avoid ransomware attacks

The U.S. Ransomware Task Force recently released a Blueprint for Ransomware Defense, designed for SMBs as a ransomware checklist. It highlights things to do to prepare for, defend against and recover from ransomware attacks. This means:

1. Knowing what is on your network
2. Training employees
3. Installing perimeter defenses (e.g., firewalls) and access controls
4. Staying on top of vulnerabilities and patches
5. Developing strong protection, prevention and recovery policies
6. Using offline, encrypted data backup

And, of course, with email serving as a leading threat vector, employing a solid email security plan helps too. That’s where a HIPAA compliant email provider like Paubox Email Suite comes in.

Paubox Email Suite – good for any size healthcare organization

Whether you are a large hospital or a standalone clinic, Paubox Email Suite has the right email protections to keep your data and organization HIPAA compliant and secure. Paubox safeguards nearly 70 million HIPAA compliant emails each month for more than 4,000 healthcare customers and has a 4.9/5 G2 rating.

SEE ALSO: Is email HIPAA compliant?

Our technology is HITRUST-CSF certified and provides the most advanced HIPAA compliant email solutions available. We enable HIPAA compliant email by default to ensure automatic compliance with HIPAA email rules. This means you don’t have to decide which emails to encrypt. Patients receive messages right in their inbox—no additional passwords or portals necessary. And better yet, Paubox Email Suite’s Plus and Premium levels include robust inbound email security tools that block cyberattacks from even reaching an inbox.

By focusing on the protection of its most critical aspect (i.e., PHI in the healthcare industry), an SMB can use Paubox Email Suite to build the necessary layers to defend itself now and in the future. Far too many healthcare organizations don’t take the risk seriously until it’s too late. Becoming a victim of a cyberattack is not sustainable, but avoiding one is.