Ransomware a huge concern for small targets

Small and rural providers may be more vulnerable to hacking than larger organizations, but they can muster resources and staff to defend themselves.


As evidenced every day in the news, today’s hackers are running a very successful extortion racket using ransomware, and it’s become a primary threat to healthcare organizations, large and small.

News reports tend to focus on the “big fish” that get snagged in ransomware’s net, but smaller hospitals are targets as well. Disruption to the continuity of services can be detrimental, no matter what the size of the organization is. The question is how big of a target is your small hospital.

Small hospitals have many challenges that are similar to those of their larger counterparts, but the infrastructure of a smaller hospital can pose additional challenges. One of the most significant barriers to an effective ransomware defense can be a lack of resources. More specifically, it is difficult for facilities in rural areas to recruit and retain required talent.

In addition it is also difficult for small facilities to have enough resources to build and manage a solid security program. In some small facilities, the security officer, the CIO and the COO are all the same person—that increases the potential risk of security vulnerability, just based on the fact that one person with diverse responsibilities lacks the time to cover all his or her many priorities. Business continuity is a high priority, but it may not get the attention it requires in a small organization.

There are ways for a small organization to reduce its vulnerability to IT security threats, such as ransomware, without additional resources. Reducing risk without increasing costs can be accomplished by efficiently and effectively utilizing current resources to strengthen the organization’s security defenses.

An organization’s strongest line of defense is the employee. Small hospitals require synergy for success in security prevention, because the whole is greater than the sum of its parts. As the old adage goes, an organization is only as strong as its weakest link; therefore, addressing employees’ knowledge of important security practices will strengthen the organization as a whole.

One action that can affect the whole organization is implementing a security awareness program, focusing on education and communication, with the intent of preventing system users from performing risky actions, particularly clicking on dangerous web links contained in emails. Building a strong security awareness program, can result in reduced risk of breach of confidential information, loss of continuity, as well as develop a more competently aware, and empowered employee.

This is not a short-term, one-time solution, and any such initiative should be tailored to the culture of the organization, keeping in mind the average rate of employee retention. A security awareness program not only makes the employee aware, but empowers the employee, acting in a manner of teaching, advocating and impressing upon others the importance of security.

Empowered staff are more actively engaged, and they often can find value in training that applies to how they conduct, and protect, their personal lives. Employees truly are the stakeholders promoting buy-in, ownership and accountability.

It is sometimes the small efforts that greatly reduce risks to business continuity. One small effort with the biggest gain is implementing an education and awareness program that includes the following components.

  • Testing staff for identifying and not falling prey to baseline risky actions.
  • Recording baseline performance and setting improvement goals.
  • Implementing a training response program that is tailored to the responses of staff.
  • Branding security consistently through a program that engages staff through a monthly informative news article anonymously written by employees who have performed risky actions, thus promoting accountability and self-research/learning; transparently reporting quarterly to all staff on current metrics in relation to organizations goals; and consistent communication through email, text and social media.

There are many lines of defense to a mature and strong security program, and particularly at smaller healthcare organizations, the most important is the human line.

Like any good fortress, you can have a moat with alligators and a rock wall built on a steep hill, but if there are no people that desire or know how to protect it, it will inevitably crumble. The stronger the people, the more successful the organization will be. Our small organization may exist on flat ground, have a shorter wall made of hay stacks, and a moat full of minnows, but the people are born of resilient pioneers, and the strongest people I know.

More for you

Loading data for hdm_tax_topic #care-team-experience...