Small Practice Ransomware Recovery Risks: Will Your Business Survive Just One?

by Deborah Alexander, Director on September 30, 2021


security risk assessment (2)


The increased risk of not conducting a Security Risk Assessment (SRA) to identify threats and vulnerabilities can be more devastating to small offices. Several recent articles and presentations have highlighted how small practices are quickly becoming easy prey to ransomware attacks. Here is a brief summary of recent statistics on how small providers are becoming the targets of ransomware.

The Health and Human Services (HHS) Office of Information Security and Health Sector Cybersecurity Coordination Center (HC3) presented on June 3, 2021. HC3 reports tracking ransomware incidents worldwide in healthcare with nearly 60% impacting the United States health sector. The top victims in 2021, within the U.S., as of May 25, 2021 were Health or Medical Clinics accounting for over eighteen ransomware incidents occurring in California, Texas, Georgia, Illinois, and Louisiana. The U.S. incidents resulted in victim data leaking in at least 72% of the incidents. HC3 noted, the average ransomware payment is $131,000, which does not account for staff downtime, device upgrade costs, network cost, lost opportunities, or forensic consulting costs to rectify the incident.

On June 15, 2021, Chiropractic Economics published an article titled, “Ransomware removal and the most common health care cyberattack.” This article appears to mirror the trends reported by HC3 with Health of Medical Clinics becoming the primary target. Here are a few of the author’s key highlights from Chiropractic Economics:

  • The national average cost to mitigate ransomware is $158,000 with smaller practices averaging $90,000. This includes fines and penalties.
  • 89% of cyberattacks are now ransomware.
  • 2-4 chiropractic offices are hit by ransomware, per month, with a possible business shutdown.
  • Lack of SRA could be viewed as “willful neglect” resulting in higher HIPAA violation fines.
  • Ensure Business Associate agreements are in place.
  • Train staff regarding breach reporting and HIPAA Security.

Questions for Small Practices

  • Does your small practice or medical clinic have the financial viability to survive a ransomware incident?
  • Is the price of not conducting a SRA now worth losing your business?
  • How much does a SRA cost, and how does it protect my business?
  • Where can I obtain HIPAA Security policies and procedures?

Let LW Consulting, Inc.’s HIPAA Security consultants assist you with the decisions. LWCI offers the HIPAA SP3: Security Policies and Procedures Package which can be found on our LWCI Learning Center, or our experts can set up a time to discuss your needs.


To learn more about how LWCI can help you, set up a 15-minute discussion with one of our experts, Deborah Alexander, Director, CHC, CHPC, PMP, DPT, MED, STC, CSCS.

Start a conversation

Topics: Compliance, Healthcare IT