News headlines tend to focus on big events. Notable examples are the attacks on Change Health and Ascension in 2024. Effects from these events continue to pop up in new cycles. However, the cybersecurity incident at the 30-bed skilled nursing facility or the ransomware attack at the 15-provider urology practice down the street that brought care to a complete halt will not be on the 5 o’clock news anywhere.
Security events like these have the same significant, long-term consequences for the clinicians, patients, support staff, and leadership experiencing it as large health systems but very few beyond those directly impacted are aware. This headline-free liberty can fold into the overall culture of a healthcare organization. It can give leadership a false sense of security regarding cyber defenses while decreasing the prioritization for implementing and maintaining up-to-date and evolving security solutions. It also fosters end-user nonchalance regarding their role in protecting patient data and keeping systems secure. Unfortunately, the reality is that no organization is too small to be exempt from cyber threats or security vulnerabilities and many decision makers at smaller independent healthcare practices are not fully aware of how at risk their organization is.
In 2024, an estimated 193 million medical records were compromised due to ransomware attacks and data breaches, with an average event rate of 2 per day. According to the US Census, as of November 2025, the US population is 342.9 million people. Though there are plenty of ways to interpret this information, it could be speculated that over 50% of the US population had their health information compromised in 2024. Safeguarding protected health information is the shared responsibility of healthcare providers, their workforce, decision makers, and their business associates in any care setting, of any size, and is a federal law.
Smaller size no longer shields a healthcare practice from the same ransomware campaigns, phishing attacks, and data exfiltration tactics that target hospital systems. By acknowledging risk, assessing vulnerabilities, and investing in protections, private healthcare providers can better safeguard their data, but there are many obstacles to achieving this, such as limited budgets, scarce IT resources, and competing priorities. If threat actors ever employed discretion to their victims, they no longer extend such tendencies and know that independent practices that face these obstacles often lack the defenses of larger health systems, and they exploit the fact that they may have outdated software, weak access controls, and mediocre staff training.
The challenge is clear: how can smaller, independent healthcare organizations develop the ability to prevent, withstand, and recover from cybersecurity incidents with limited budgets and expertise? While there is no single solution, product, or approach, there are several strategies that can help promote success.
Shared Services and Partnerships
According to the Health Sector Coordinating Council (HCCC), just 14% of healthcare organizations say their IT security teams are fully staffed. Over half say they need more help, and 30% say they are understaffed or severely understaffed. As organizations acknowledge that their IT teams are understaffed, the complexities around technology are increasing, as is the attack surface. Healthcare decision makers can work with trusted business partners that complement current resources while improving technology and security solutions in a compliant manner to optimize tools and skill sets. By partnering and sharing expertise and solutions, smaller organizations can access protections that would otherwise be unaffordable or unmanageable.
Cloud-Based Security Solutions
Moving to secure, cloud-hosted platforms can reduce the burden on local IT teams. Cloud environments offer built-in security features, more easily deployed regular updates, are scalable, and address compliance requirements. By integrating advanced encryption, identity management, and continuous monitoring, cloud platforms have proven to be highly effective at protecting patient data. Unlike on-prem systems, cloud solutions scale easily and can be more cost-effective. By assuming part of the security burden, offering built-in protections and compliance support, cloud solutions can alleviate some of the burden for resource-strained internal IT teams.
Training and Awareness
Human error remains the leading cause of breaches. Regular staff training on phishing, password hygiene, incident reporting, and security awareness can dramatically reduce the risk of a security event and transform staff from potential vulnerabilities into active defenders. Teaching staff to recognize suspicious emails reduces the risk of ransomware attacks. Educating on the use of longer passwords, password phrases, and successfully implementing multi-factor authentication helps to prevent unauthorized access. Training staff to quickly report suspicious activity ensures faster containment and less damage. Regular training promotes an organizational cultural mindset that protecting patient data is a part of effective patient care.
Incident Response Planning
Even small organizations need a plan for what to do when, not if, a security event occurs. In healthcare, minutes matter. A well-documented plan ensures staff know exactly what steps to take, reducing downtime and limiting care disruption. Without a plan, responses can be chaotic. Having an incident response plan standardizes actions across departments, teams, and even vendors, ensuring nothing critical is overlooked. Defining who communicates with patients, organizational teams, and outside parties prevents misinformation. Having an outline of how to isolate affected systems, restore backups, and resume operations safely is critical for the continuity of care.
Incremental Investment
Having strong cybersecurity does not have to be all-or-nothing. For independent healthcare organizations, upfront cybersecurity investments are unrealistic. Incremental upgrades such as multi-factor authentication, endpoint protection, and regular backups can provide meaningful protection without overwhelming budgets. Road mapping for incremental steps to build a layered defense over time allows organizations to adjust strategies as new risks emerge and shows due diligence in securing patient data.
Cybersecurity is a journey. By leveraging partnerships, adopting cloud-based solutions, investing in staff awareness, planning for incidents, and making incremental improvements, even the most resource-constrained organizations can strengthen their defenses.
About Danielle Morrison, BSN, RN
Danielle Morrison, BSN, RN, is the National Practice Manager for Healthcare IT Services at All Covered, bringing over 30 years of expertise in healthcare and information technology. As a registered nurse with informatics and IT experience, Danielle has played a pivotal role in implementing and integrating technology solutions that optimize clinical and financial outcomes for healthcare organizations. Her extensive background fuels her commitment to advancing healthcare delivery through innovative technology solutions and strategies.
