How to prevent data breaches in healthcare: a strategic defense guide for growing organizations

What healthcare data breaches really cost your practice 

You already know the headline number: $7.42 million average breach cost in healthcare, according to IBM’s 2025 report. The global average? Just $4.44 million. Healthcare has topped this list for 14 consecutive years. 

But you’re not running an average practice. You’re managing growth, multiple locations, and complex integrations. Your actual costs multiply with each site you add. 

Jeffery Daigrepont, Senior Vice President of Coker Group, works with practices after breaches occur. His assessment: “Even if their cyber insurance company kicks in, it’s almost never enough to fully cover.” 

Here’s what actually happens after a security failure: 

• Forensic teams take over your systems for months 
• Every affected patient requires individual notification and credit monitoring 
• Legal bills mount as class actions form 
• Regulatory investigations trigger regardless of breach size 
• Your next insurance renewal triples in cost—if you can get coverage at all 

The statistic that should worry growth-focused practices the most? Approximately 60% of small businesses close within six months of a significant breach. Not because of the initial ransom or even the fines. They close because operations never fully recover. 

Your acquisition strategy assumes operational continuity. One major security failure across your platform destroys that assumption. The private equity group backing your expansion starts questioning every technology decision. The physician partners who sold you their practices wonder if they made the right choice. 

Why criminals target growing healthcare organizations 

Your patient data commands premium prices. Complete medical records sell for $250 to $1,000 on criminal markets. Credit cards bring just $5. 

Tim Grelling, Director of Information Security at Focus Solutions, sees how this economy works: criminal groups “gain access to organizations and then go out on the dark web and sell their access.” They’re not even stealing the data themselves anymore. They just sell entry points to other criminals. 

Think about what’s in each patient record: Social Security numbers, birth dates, insurance information, medical histories, financial data. Everything needed for identity theft, insurance fraud, and prescription schemes. Unlike credit cards that get cancelled, this information stays valuable for years. 

Growing practices make perfect targets 

You’re managing IT across five locations. Three different EHR systems. Multiple billing platforms. Each practice you acquired came with its own technology decisions, vendor relationships, and security gaps. 

Jeffery addresses the dangerous myth directly: “Hackers by nature, because it’s a volumes game, they’re not very… they’re kind of lazy. They want soft targets.” 

Your distracted organization is exactly that soft target. You might have 50 physicians across your platform, but criminals see you the same way they see a solo practice—limited IT resources, no 24/7 monitoring, gaps between locations they can exploit. 

Consider your numbers. Five locations, 10 providers per site, 3,000 patients per provider. That’s 150,000 patient records. At even conservative black market prices, criminals see millions in potential value. They know you don’t have a security operations center watching for threats. They know your IT team is stretched thin just keeping systems running. 

Security failures multiply with each location 

Every acquisition compounds your security challenges. You inherit whatever security problems that practice has accumulated over years of independent operation. 

Your newest acquisition looked great on paper. Strong revenues, good payer mix, strategic location. But their “server room” is actually a converted supply closet. Their backup strategy involves external hard drives that the office manager takes home. Their idea of access control is a shared password written on a sticky note. 

Now multiply these issues across your platform: 

• Each location has different password policies (or none at all) 
• Remote access methods vary wildly between sites 
• Some locations patch monthly, others haven’t updated in years 
• Vendor access accumulated over time with no central tracking 
• Staff trained differently on security at each practice 

You can’t standardize overnight. Clinical operations must continue. Doctors won’t tolerate disruption. Meanwhile, criminals probe for the weakest point across your entire network. One compromised location gives them access to your whole platform. 

Where hackers actually break into healthcare systems 

Understanding attack methods helps you defend against them. The Verizon 2024 Data Breach Investigations Report identifies the most common entry points in healthcare breaches. 

Staff get manipulated into creating access 

IBM’s 2025 report shows phishing drives almost 16% of breaches. But calling it “phishing” misses the sophistication. These aren’t Nigerian prince emails anymore. 

Jeffery shares what he sees in practices: “I’ve seen a lot of cases where a fake patient gets the staff to log into the portal to sign up for the portal.” Your front desk wants to help patients. They’ve been trained to provide excellent service. Criminals exploit that service mentality. 

The attack chains work like this: 

1. Criminals research your staff on LinkedIn and social media 
2. They craft emails mentioning real doctors, real systems, and real processes 
3. One person clicks, enters credentials on a fake login page 
4. Those credentials unlock multiple systems due to password reuse 
5. Criminals move laterally through your network, accessing everything 

Each location you manage increases the attack surface. More staff to target. More email addresses to spoof. More opportunities for someone to make one mistake that compromises everything. 

Technical gaps become entry points 

Every practice you acquire brings technical debt. Systems that can’t be patched because they’ll break. Applications requiring outdated browsers. Medical devices running Windows XP that can’t be upgraded. 

Common technical failures across multi-site practices: 

• Remote desktop exposed to the internet with weak passwords 
• Backup systems accessible with default credentials 
• Wireless networks shared between clinical and guest access 
• USB ports enabled on every workstation 
• Local admin rights for all users because “it’s easier” 

Cloud services create shared responsibility confusion 

You moved to cloud-based EHR and practice management. The vendor handles infrastructure security. But who handles user access? Who monitors for suspicious activity? Who ensures configurations are secure? 

This shared responsibility model fails when everyone assumes someone else handles security. Your EHR vendor secures their servers, but not your user accounts. You must manage access controls, audit logs, and security configurations. 

Most practices discover these gaps only after a breach. The vendor points to their contract showing you’re responsible for user security. Your cyber insurance denies the claim because you didn’t implement the required controls. You’re stuck with the full cost. 

This is where comprehensive tech support for health systems becomes critical. You need a partner who understands both the technical security requirements and the healthcare context; someone who knows which security controls your EHR vendor actually provides and which ones fall on you. 

Third-party and vendor vulnerabilities 

You work with dozens of vendors. EHR, billing, imaging, labs, pharmacies, clearinghouses, and IT support. Each connection represents a potential compromise. 

Supply chain attacks work because criminals know smaller vendors have weaker security. Compromise one billing company, get access to dozens of practices. The 2024 Change Healthcare breach affected 190 million people through exactly this vector. 

Your vendor management challenge multiplies with growth. The orthopedic practice you acquired has 40 vendor relationships. The primary care group has 60 different ones. Now you’re managing 100+ vendor connections across your platform with no central visibility. 

Preventing healthcare data breaches across multiple locations 

Stop thinking about security as a technology problem. Start thinking about it as an operational discipline that needs to work the same way across every location. 

Standardize authentication without disrupting operations 

“If you don’t have multifactor authentication (MFA), please do that today,” Tim states clearly in the webinar. But you can’t just flip a switch across five locations without breaking workflows. 

Start with your highest-risk users: 

• Anyone who can move money 
• System administrators at each location 
• Users with access to all sites 
• Third-party billing staff 

Roll out systematically: 

• Week 1: Finance and IT administration 
• Week 2: Practice managers and billing supervisors 
• Week 3: Clinical leadership 
• Week 4: All remaining staff 

Use phishing-resistant MFA or at least number-matching. Those simple “approve/deny” prompts train people to click without thinking. Number-matching forces attention. 

Create visibility across your entire platform 

You can’t protect what you can’t see. Most multi-site practices have no idea who has access to what across locations. 

Build a simple access inventory: 

• List every system at each location 
• Document who has access to each system 
• Note when access was last verified 
• Track vendor access separately 

This isn’t sophisticated. A spreadsheet works initially. The goal is to understand your actual attack surface, not building perfect documentation. 

Monthly vulnerability scanning becomes non-negotiable. You need to know what’s exposed across all sites. Focus on external-facing systems first: patient portals, remote access, and email. Then scan internal networks quarterly. 

Make monitoring and response actually work 

Traditional antivirus misses modern attacks. Criminals use legitimate tools and stolen credentials. Nothing looks malicious until damage is done. 

Endpoint Detection and Response (EDR) changes the game. Jeffery explains the power: “Maybe I’ve got an employee that typically works 8 to 5, Monday through Friday, never works weekends, and then all of a sudden at 3 AM on Saturday morning, they log in from Russia. Red flag.” 

But EDR only works if someone watches it. Multi-site practices need 24/7 monitoring since attacks don’t follow business hours. You need someone investigating alerts, correlating events across locations, and responding immediately to threats. 

Test backups like your practice depends on them 

Because it does. Ransomware specifically targets backups. Criminals know you’ll pay if you can’t restore operations. 

Most practices learn during attacks that their backups are worthless. Either incomplete, corrupted, or so complex that nobody knows how to restore them. That disaster recovery plan gathering dust? Useless when you actually need it. 

Quarterly restoration drills prove your backups work: 

1. Pick a critical system at random 
2. Restore it to a test environment 
3. Verify data integrity 
4. Time the entire process 
5. Document lessons learned 

Know these numbers cold: Recovery Time Objective (how fast you must restore) and Recovery Point Objective (acceptable data loss). When the board asks during a crisis, it’s better to have answers. 

Lock down email and financial controls 

Business email compromise bypasses technical security entirely. Criminals manipulate people into approving fraudulent payments. 

Implement these controls immediately: 

• Email authentication (SPF, DKIM, DMARC) blocking spoofed emails 
• Banner warnings on external emails 
• Automatic quarantine for suspicious attachments 
• Separate approval for all payment changes 

Never approve financial changes through email alone. Require phone verification using known numbers, not numbers provided in the change request. This one rule stops most financial fraud. 

Training staff to be defenders, not victims 

The Verizon 2024 report shows 68% of breaches involve human element. Not because people are stupid. Because criminals are good at manipulation. 

Healthcare workers want to help. That’s why they chose this field. Criminals weaponize that helpfulness. They create urgency, appeal to compassion, and exploit the service mentality that makes healthcare work. 

Training that reflects actual threats 

Generic security awareness training wastes time. Your staff needs healthcare-specific scenarios: 

• The “forgotten insurance card” patient requesting portal access 
• Urgent requests from “physicians” needing immediate access 
• Fake IT support offering to fix problems 
• Vendors claiming payment issues requiring immediate update 

Role-based training matters. The front desk faces different threats than billing. Clinical staff need different awareness than the administration. One-size-fits-all training protects no one effectively. 

Make training monthly, not annual. Five-minute micro-lessons beat hour-long annual sessions. Security threats evolve weekly. Annual training is obsolete before completion. 

Creating a security-aware culture 

Create an environment where reporting suspicious activity is celebrated, not punished. Even experienced IT professionals fall for sophisticated attacks. Shame prevents reporting. Celebration encourages it. 

Track time-to-report, not just click rates. Someone clicking a phishing link but immediately reporting it is better than someone who clicks and stays quiet. Quick reporting contains damage. 

Every new acquisition needs immediate security culture integration. Don’t wait for system standardization. Start building awareness from day one. The practices you acquire often have no security culture at all. Starting immediately prevents those locations from becoming your weakest link. 

Why HIPAA compliance isn’t enough 

“HIPAA is designed to be the floor,” Tim explains. “You can be HIPAA compliant and still be insecure.” 

HIPAA requires security policies. It doesn’t require that policies actually work. You can have perfect documentation while leaving practices completely exposed. 

Tim contrasts with payment card standards: “PCI says, ‘Here’s how often you need to review that. Here’s how long your passwords have to be.’ HIPAA comes in at the other end to say you need a process, you need a policy.” 

Modern healthcare threats require capabilities HIPAA never contemplated: 

• Continuous monitoring, not annual assessments 
• Behavioral analytics identifying abnormal access patterns 
• Rapid incident response measured in minutes, not days 
• Zero-trust architecture assuming breach has already occurred 
• Supply chain risk management for dozens of vendors 

Your private equity partners and potential acquirers evaluate security beyond compliance. They want to see operational maturity. They need confidence you can protect their investment. HIPAA compliance is table stakes. Real security determines valuations. 

Make the business case to your board 

Security isn’t an IT expense. It’s operational insurance protecting everything you’ve built. 

Frame the investment correctly: 

• Cost of prevention vs. cost of breach response 
• Competitive advantage in physician recruitment 
• Higher valuations during exits or recapitalization 
• Reduced insurance premiums with better coverage 
• Protected cash flow from prevented fraud 

Your board understands risk management. Show them security as risk mitigation, not technology spending. Compare security investment to malpractice insurance, necessary protection for sustainable operations. 

Plan for failure while preventing it 

Experienced security professionals don’t say “if” you’ll have an incident. They say “when.” This isn’t defeatism. It’s a reality for healthcare organizations facing constant automated attacks. 

Your incident response plan needs to work across all locations: 

• Clear escalation paths that don’t depend on one person 
• Communication templates for patients, partners, and regulators 
• Legal counsel identified and pre-engaged 
• Backup restoration procedures anyone can execute 
• Lessons learned process for improving defenses 

Test quarterly through tabletop exercises: 

1. Gather key stakeholders from IT, operations, finance, and clinical leadership 
2. Walk through realistic scenarios, ransomware, data theft, vendor compromise 
3. Identify gaps in your response 
4. Fix problems before they matter 
5. Document everything for insurance requirements 

External expertise matters when incidents occur. You can’t maintain forensics specialists full-time. But having relationships established means a quick response when needed. Know who you’ll call before you need to call them. 

The Focus Solutions Unified Partner Approach

Most healthcare organizations work with separate vendors for IT, security, and data, plus additional application support. When security incidents cross vendor boundaries, finger-pointing begins while threats spread. 

Focus Solutions brings Managed IT, Managed Security, and Managed Data together under one roof. One partner managing all three pillars means: 

• Consistent security controls are deployed identically across locations 
• No gaps between vendor responsibilities 
• Faster threat detection and response 
• Clear accountability when issues arise 

We understand healthcare operations. We know you can’t disrupt clinical workflows for security updates. We know each acquisition brings unique challenges. We know standardization takes time, while threats are immediate. 

Our approach follows the proven progression: Fix → Stabilize → Enable. 

Fix the critical gaps leaving you exposed today. Stabilize operations with consistent security across locations. Enable growth, knowing security scales with expansion. 

Act before security failures derail your growth 

Growing healthcare organizations face an impossible balance. Expand quickly to achieve scale. Maintain security to protect operations. Usually, growth wins and security becomes “we’ll fix that later.” 

Criminals count on that prioritization. They know you’re focused on integration, not security. They know your IT team is overwhelmed. They wait for the perfect moment—usually during your next acquisition—to strike. 

But here’s what successful organizations discovered: security doesn’t constrain growth. It enables it. 

Strong security means: 

• Acquisitions proceed without fear of inherited breaches 
• Insurance coverage remains available and affordable 
• Physician partners trust the platform they’ve joined 
• Investors see operational maturity worth backing 
• Your team focuses on growth instead of crisis management 

Start with the basics that work across every location. MFA for high-risk users. Monthly vulnerability scanning. Documented vendor access. Email authentication. Backup testing. 

These aren’t sophisticated controls. They’re foundational defenses that stop most attacks. More importantly, they scale as you grow. Each new location gets the same protection from day one. 

Don’t wait for criminals to expose your security failures. Don’t let prevention become urgent only after disaster strikes. Build defenses now while you have time to do it right. 

Preventing healthcare data breaches isn’t optional for growing practices. Let’s assess your security gaps before they become breaches.  

Focus Solutions brings Managed IT, Managed Security, and Managed Data together under one unified partnership. We help healthcare organizations build defense-in-depth strategies that protect without constraining growth. Contact us to discuss how we can strengthen your security across all your locations.