The incident at Change Healthcare altered how security officers at large hospitals evaluate digital risks but many small clinics experienced the disruption without updating their security measures. It is a mistake to maintain the status quo. Data in the medical field increases by approximately 36 % annually. As a result the area vulnerable to digital attacks for a five provider clinic is significantly larger than it was two years ago. Small practices are able to acquire necessary protections through inexpensive technical controls rather than large corporate budgets. For those practices, the difficulty is identifying which controls are effective and where the actual vulnerabilities exist.
What changed for small practices following the Change Healthcare incident?
In public reports, the primary lesson concerned the processing of insurance claims – but for a small practice, the less discussed lesson concerned the concentration of services within a single vendor. Many clinics lacked a precise understanding of which external platforms stored patient information or possessed network access. To address this clinics must consider their recovery strategies if a vendor is unavailable for an extended period.
By now providers of digital insurance have implemented more rigorous requirements for coverage. Renewal forms that previously consisted of one page are now ten pages long. And “we use a HIPAA-compliant vendor” is an answer that insurers no longer accept.
But the fundamental security requirements of HIPAA remain the same. The distance between “HIPAA-compliant” and “insurable” is now larger. Because of this small practices are managing increased risks without awareness until they seek to renew their insurance.
Where are the primary vulnerabilities in a five provider clinic?
Many small practices focus on the incorrect areas – they are concerned about their Electronic Health Record (EHR) provider but the EHR is typically the system with the most robust defenses. In most cases the actual vulnerabilities are in three specific areas:
- Email and the use of identical passwords. An employee might use the same password for a patient portal and a personal account that is compromised. As indicated in McKinsey’s healthcare outlook, health services and technology represent a rapidly expanding sector. On that account employees interact with more software-as-a-service tools than in previous years.
- Unmonitored integrations. These include tools for marketing, scheduling or patient consent that were implemented and subsequently ignored. Each tool represents a path for data that is not included in the official inventory.
- Private hardware and domestic networks. Employees working in a hybrid capacity frequently use clinical systems through networks that have not undergone a professional security review.
The EHR is generally secure – it is the surrounding connections where data breaches occur.
How do multi tenant and single tenant systems compare during a vendor incident?
| Factor | Multi tenant | Single tenant |
|---|---|---|
| Separation of data | Database is shared | Database is dedicated to one client |
| Extent of a breach | All clients are impacted | Impact is restricted to one client |
| Priority for recovery | Clients wait in a queue | The specific instance is prioritized |
| Timing of updates | Based on the vendor schedule | Planned in coordination with the client |
| Cost structure | Lower price per user | Higher price per user |
A multi tenant platform is not inherently lacking in security. Many of the platforms are operated with high standards of digital hygiene – but if a vendor experiences an incident, every client is placed in the same line for recovery. For a clinic with five providers that uses a platform for daily tasks, a week of downtime is a threat to the existence of the business.
To address this Healee’s white label telehealth platform with single-tenant architecture gives every client a dedicated instance and database – this architecture is currently used for more than 1 million patients and 5 million appointments across more than 200 clinics.
Which five inexpensive controls provide the majority of protection?
If a practice implements only five measures this year, those are the recommended actions:
- Activate multi factor authentication on all systems. This action prevents most attacks that rely on stolen passwords at no recurring cost.
- Maintain a precise list of vendors. There is a need for a document that lists every platform that handles patient data, the person responsible for it and the legal rights to recover data – this list is updated every six months.
- Use a password management tool for the entire office. When a practice relies on the memory of staff members, it is likely that passwords are used across multiple sites.
- Perform actual tests on data backups. One restoration test is conducted every three months to ensure the system functions.
- Conduct brief training on deceptive emails every three months. A short video and a test email are more effective than a single long session held once a year.
None of the actions require the employment of a dedicated security professional. They are achieved through a small amount of time and consistent application.
HIPAA requirements and current demands from insurance carriers
HIPAA establishes a minimum standard for data protection – in contrast, cyber insurance carriers often establish the practical maximum requirements. It is now common for insurers to demand proof that a clinic uses multifactor authentication and endpoint detection software. By requiring documented procedures for incident response and regular schedules for software patching, those carriers go beyond the law. There are no such specific requirements in the HIPAA Security Rule – but if a clinic does not provide this evidence, insurance premiums are likely to increase by 20 % to 40 %. For some clinics coverage is not available at all without the measures.
As you complete the checklist from an insurer, you are also exceeding the basic standards of HIPAA.
AI tools and new patterns of data leakage
Healthcare data is increasing by 36 % each year – and there is a similar increase in the AI tools that staff members want to use – this risk is not hypothetical. When a medical assistant pastes a patient summary into a general AI tool to write a message, they are sending protected health information to a third party. If there is no business associate agreement, this action violates privacy rules.
To solve this a ban is not necessary – it is better to have a short written policy – this policy defines which AI tools are permitted for clinical use and which are prohibited. If a tool is helpful but not yet permitted, the policy explains the process for review. Without this guidance, employees are likely to make their own choices without notification.
Conclusion – preparation is better than a reactive response
Small practices are not required to have the financial resources of a large corporation for security. They require a clear understanding of where risks exist. With a small list of affordable controls that are used regularly, they are safer. And it is important to have a vendor architecture that continues to function even if a part fails. The clinics that are in a good position after a major industry event are those that completed the routine tasks first.
If you are evaluating a platform and single tenant architecture is a topic, you can request a demo to see how a dedicated instance functions in daily operations.
Frequently asked questions
How quickly is it necessary for a clinic with five providers to act on cybersecurity after an incident?
Within 90 days – it is best to focus on five affordable controls first – those are multifactor authentication, an inventory of vendors, a password manager, tests for restoring backups and training for phishing every three months.
Is single tenant architecture worth the expense for a small practice?
It depends on how much the practice relies on the platform – if daily work stops when the platform is down, single tenant architecture is usually a good investment. By using this setup, your recovery is not delayed by other users during a vendor incident.
Does being HIPAA compliant mean a vendor is sufficiently secure?
No. HIPAA establishes a base level that is not updated frequently. Because cyber insurance carriers now require more controls than HIPAA, following the requirements of an insurer is a more effective standard.
What is the most significant cybersecurity control for a small clinic?
Multifactor authentication is the most important control for every system that handles patient data – this includes email. By using this you stop most attacks that use stolen credentials at no additional cost.
Is it possible to use AI tools safely in a small practice?
Yes. To do this you need a written policy that lists which tools are allowed for clinical data – this policy should also provide a way for staff to ask for new tools. In this situation, the risk is when use is not managed, rather than the AI technology itself.
Sources:
- Trends in Health IT – What Should Organizations Prioritize in 2026 – MedCity News, 2025
- What to Expect in US Healthcare – McKinsey, 2025