Cyberattacks: why medical practices are targeted, and how to protect yourself
We often imagine cyberattacks reserved for large companies. The reality in 2026 is the opposite: small healthcare structures are prime targets. They hold highly sensitive data, and they're often less protected than a large organisation. The good news is that a practice's cybersecurity isn't a matter of big budgets: it's a matter of hygiene. This guide explains why you're concerned, what the most common attacks are, and the simple measures that cover the bulk of the risk.
In short
- Practices are targeted because health data is valuable, the activity can't stop, and the defence is often limited.
- The most common attacks: phishing (booby-trapped email), ransomware, weak passwords and stolen hardware.
- Most of the risk is covered with simple, low-cost habits. Perfect security doesn't exist; "reasonable and up-to-date" security deters the vast majority of attacks.
- If you do only two things: two-step login security and tested backups.
- A well-maintained website is not a weak point; an abandoned one is.
1. Why healthcare is a favoured target
Three reasons combine:
- Health data is valuable. On the black market, a medical record sells for far more than a single bank-card number, because it contains a complete and lasting identity that can't be "reset".
- A practice can't stop. When the schedule and the records are locked, the pressure to pay a ransom and resume work is enormous. Attackers know it.
- Few structures have a dedicated IT team. The trio "valuable data, high pressure, limited defence" is exactly what an opportunistic attacker looks for.
Importantly, most attacks aren't targeted. They're automated campaigns that cast a wide net and hit whoever isn't protected. You don't need to be "interesting" to be hit, just vulnerable.
2. The most common attacks, without the jargon
- Phishing. An email that imitates a supplier, a bank, an insurer or an authority to steal your credentials or have you open a booby-trapped attachment. It's the number-one entry point, and it targets the human, not the machine.
- Ransomware. Software that encrypts your files and demands a ransom to unlock them. Without a backup, it's a disaster: schedule, records, everything becomes inaccessible.
- Weak or reused passwords. A single password guessed or recovered from a leak, and it's access to everything else if you use it everywhere.
- Theft or loss of hardware. An unencrypted laptop or USB stick is the patient file out in the open.
Worth remembering: most of the risk is covered with simple, low-cost habits. Perfect security doesn't exist, but "reasonable and up-to-date" security is enough to deter the vast majority of attacks, which are opportunistic.
3. The measures that really matter
- Two-step login security (a code on top of the password) on anything touching patient data. It's the measure with the best effort-to-protection ratio: even a stolen password is no longer enough to get in.
- Automatic, tested backups. A backup you've never tried to restore isn't really a backup. It's your safety net against ransomware.
- Updates. Software, website, browsers, system. Most attacks exploit flaws already fixed that no one has installed.
- Unique passwords, ideally with a password manager (which creates, remembers and fills them for you).
- Device encryption. On by default on recent Macs and PCs, but worth checking it actually is. A stolen, encrypted device stays unreadable.
- Serious, compliant hosting (see the revFADP): knowing where the data is and who accesses it.
- Email caution. At the slightest doubt, don't click, verify through another channel (a phone call, for example).
4. Where to start: measures by effort-to-protection ratio
| Measure | What it protects | Effort |
|---|---|---|
| Two-step login security | Against stolen passwords | Low |
| Automatic, tested backups | Against ransomware and data loss | Low to medium |
| Regular updates | Against known flaws | Low |
| Unique passwords + manager | Against the domino effect of a leak | Low |
| Device encryption | Against hardware theft | Very low (often just to enable) |
| Email vigilance | Against phishing | Low (a habit) |
All these measures are within your reach, without a significant budget. Start with the first two: on their own they cover the bulk of the risk.
5. And what about the website?
A well-built, maintained site (security updates, up-to-date hosting) is not a weak point. A site abandoned for three years is: it becomes an entry point for automated attacks. And if your site includes a management area or appointment booking, two-step security and backups aren't optional: they're the foundations.
6. What to do if you're a victim?
Keeping a cool head changes everything. The right reflexes:
- Disconnect the affected device or system from the network to limit the spread.
- Don't pay in a panic in case of ransomware: paying guarantees nothing and encourages attackers. Your backups are your best option.
- Ask for help from a trusted IT professional.
- Assess whether patient data is involved: if so, the obligations of the revFADP apply (possible notification to the FDPIC and the people concerned).
- Document what happened and the measures taken.
Frequently asked questions
My practice is small, am I really a target?
Yes. Most attacks aren't aimed at anyone in particular: they cast a wide net and hit whoever isn't protected. Being small doesn't protect you; being up to date does.
Is two-step security complicated to set up?
No. In practice, it's a code received via an app or a second factor at login. A few minutes of setup, for a considerable gain in protection. It's the measure to enable first.
Should you pay the ransom in case of ransomware?
It's strongly discouraged: paying doesn't guarantee you'll recover your data and it funds the attackers. It's precisely so you never have to ask the question that you need tested backups.
Is an antivirus enough?
No. An antivirus is useful, but it replaces neither two-step security, nor backups, nor updates, nor email vigilance. Security is a set of reflexes, not a single piece of software.
What about old computers and USB sticks?
Before getting rid of them, actually wipe the data (a simple "empty the bin" isn't enough). And while you're using them, check that they're encrypted.
The bottom line
A practice's cybersecurity isn't a matter of big budgets, it's a matter of hygiene. A few habits, applied seriously, already put you out of reach of the vast majority of attacks. The right question isn't "could it happen to me", but "would I be ready if it did". If the answer is no, start with two measures: two-step login security and backups. On their own, they cover the bulk of the risk.
Sources
- Federal Office for Cybersecurity (NCSC) · half-yearly reports: a large share of reported ransomware incidents concern SMEs; recommendations (multi-factor authentication, staff awareness).
- SWI swissinfo.ch · Better protecting the health sector from cybercriminals.
A website project for your practice?
Let's spend 20 minutes together. Personalised review and free quote, no commitment.
Let's talk about your project