When one thinks about breaches of personal data in health care, organizations like large hospitals and national health facilities often come to mind. However, as cybercriminals get "smarter" and seek out clinics and other smaller health care providers, many of these small specialty practices are becoming increasingly attractive targets. Oftentimes these companies do not have the same level of cyber security resources to defend against attacks, but they do have access to sensitive patient information and therefore they are an easy access point for hackers into the overall health care ecosystem.

This growing concern was made evident by the data breach of Southern Illinois Dermatology and how these types of focused medical facilities can still be the victim of major cyber security incidents. While many dermatology clinics are smaller than many other types of health care providers, they often manage substantial amounts of personal and medical information including, but not limited to, patient history, patient identification information, and patient treatment history.

One of the major reasons cybercriminals target smaller health care providers rather than larger hospital systems is because most people perceive that smaller providers have less secure facilities. Unlike the large hospital systems that have dedicated cyber security teams, smaller clinics tend to rely heavily on limited IT support and often do not have the ability to regularly perform updates and/or audits of their systems. This gives incentive to cybercriminals to exploit weaknesses in the system and gain access to the systems without permission.

Additionally, specialized clinics often utilize digital systems to track patient information, schedule appointments, and bill patients. While these tools have increased both the quality and speed of care delivered to patients, the use of these systems has also caused the centralization of patient-related data in ways that were never possible before—resulting in higher risks. A single compromised system can, therefore, expose multiple categories of confidential data including, but not limited to, personal identifiers and patients' medical records.

The data breach at Southern Illinois Dermatology is another example of how the unauthorized access of a single file can lead to greater concerns around the misuse of data. Even when only a small portion of the data is stolen, the contents of that data or information, such as names, addresses, and medical record numbers, can lead to identity theft or targeted nefarious activity on the part of hackers. In the case of healthcare, there are often significant ramifications even from a small unauthorized disclosure of confidential information.

Finally, many small providers also face challenges when it comes to responding to an incident. Breach detection and response require not only technical expertise but also effective communications with those affected by the breach. When breaches go undetected for a long period of time, attackers have ample opportunities to extract or otherwise misuse the data in question.

Patients may not expect much from a break-in at a specialized clinic. Many people think small practices are safer from being hacked than bigger clinics, which is why they feel secure using those practices. The truth is that all organisations that have sensitive information are targets regardless of size.

The data breach at Southern Illinois Dermatology shows that cybersecurity should concern all healthcare providers, not just the big ones. Small providers need to put controls in place to safeguard patient data, such as using strong access controls, keeping their systems updated on a regular schedule, training their staff on the best security practices, and doing risk assessments routinely.

At the same time, patients should also know how their information is stored and used. They should check their personal records and medical records regularly, never respond to anything suspicious, and take action to protect themselves when there is a breach.

As healthcare has grown dependent on digital technology to communicate and exchange information, there has been an increasing emphasis on establishing robust cyber security practices throughout all facets of the healthcare sector. Data breaches, such as those suffered by Southern Illinois Dermatology, show that there are always "small" organizations with enough exposure to cyber security threats to warrant proactive precautions against breaches. Additionally, data is only as good as the amount of protection that is placed around it.