Insights · Medical & Dental

Ransomware loves small practices. Here are the five controls that take you off the list.

Criminals target medical and dental offices precisely because they're small, busy, and hold priceless data. The good news: five controls stop the vast majority of attacks.

By Andrew · NextGen Strategy PartnersJuly 14, 20265 min read

Ask most practice owners about ransomware and you'll hear some version of "we're too small for anyone to bother with." The uncomfortable truth is the opposite: attackers target small medical and dental practices because they're small — big enough to pay, too busy to be hardened, and holding the most valuable records criminals can steal.

A patient chart sells for many times what a stolen credit card does, because it can't be cancelled. And a practice with a full schedule has almost no tolerance for downtime — which is exactly the pressure ransomware is built to exploit. When the practice management system is encrypted and the waiting room is full, "just pay it" starts sounding reasonable. Attackers know this. Their business model depends on it.

How it usually starts

Not with hacking in any cinematic sense. The typical entry point is an email: a fake invoice to the office manager, a "voicemail notification," a login page that looks exactly like your patient portal or email provider. One click, one password typed into the wrong box, and the attacker is inside — often quietly, for weeks, mapping your systems and finding your backups before encrypting everything at once, usually on a Friday night.

The ransom is rarely the biggest cost. The biggest costs are the days of cancelled appointments, the breach notification obligations, and the patient trust you can't invoice your way back to.

The five controls that matter most

Security vendors will happily sell you fifty things. For a small practice, the overwhelming majority of real-world protection comes from five:

You'll notice these are the same controls your cyber-insurance carrier now requires — that's not a coincidence. The insurance industry has quietly become the small practice's security regulator, and its checklist is a good one.

The HIPAA layer on top

For a covered entity, an incident isn't only an operational crisis — it's a compliance event with notification duties and, potentially, an OCR investigation that opens with one request: your security risk assessment. The five controls above, documented in a current risk assessment, are simultaneously your best defense and your best paperwork.

The practical takeaway

Score yourself honestly against the five controls this week. Anything you can't confidently check off — or can't prove with documentation — is the priority. Our free practice IT assessment tests all five and hands you the findings in plain English, whether or not we ever work together.

You can't make your practice a smaller target. You can make it a harder one — and attackers, like water, follow the path of least resistance. The goal is simple: be the practice they skip.

Andrew, founder of NextGen Strategy Partners

Andrew — Founder, NextGen Strategy Partners

Veteran-owned managed IT for the nonprofits, schools, behavioral health providers, and medical & dental practices of McHenry & Lake Counties. Request a free security assessment →

Find out where you stand — before someone else does.

Our free IT security assessment gives your leadership a plain-English report on your risks, your compliance gaps, and exactly what it would cost to fix them. No obligation, no jargon.

Request the free assessment