Ransomware: What It Costs a Small Practice and How to Limit the Damage

It is a Tuesday morning and your receptionist cannot open any patient files. She tries again. Nothing. Then a message appears on screen demanding payment in cryptocurrency to get everything back. Your appointments are backing up, your clinical notes are gone, and you have no idea how long this has been happening or how far it has spread.

This is ransomware. It is not a theoretical threat. Ransomware attacks on healthcare practices have increased sharply in recent years, and small practices are frequently targeted precisely because they tend to have valuable data and limited IT protection. The attackers encrypt your files so you cannot access them, then demand a ransom to hand back the key. Even if you pay - which most security experts advise against - there is no guarantee you get your files back.

The damage goes beyond the ransom itself. A practice locked out of its systems for even a day or two faces cancelled appointments, staff standing around unable to work, and serious obligations under the NZ Privacy Act 2020 if patient data has been accessed or stolen. Some ransomware variants now steal data before encrypting it, which means attackers can threaten to publish private patient information even after you have restored your files. That is a notifiable privacy breach, and the Office of the Privacy Commissioner takes those seriously.

The good news is that most ransomware attacks succeed by exploiting gaps that are entirely preventable. Outdated software, weak passwords, staff clicking on a convincing-looking email, backups that were never properly tested - these are the entry points. A practice that keeps its systems patched and up to date, runs proper endpoint protection, and has trained staff to recognise suspicious emails closes off the majority of attack pathways before anything happens. It is also worth understanding that MFA alone does not guarantee you are protected if an attacker has other ways in.

Backups are the most important safety net you can have. If your files are encrypted and you have clean, recent backups that are stored separately from your main systems, you can restore without paying anyone anything. The critical word is tested - a backup that has never been verified is not a backup you can rely on at 9am on a Tuesday when everything has gone wrong. Good managed IT support includes regular backup testing as a matter of course, not as an optional extra.

If an attack does happen, disconnect the affected device from your network immediately - unplug the network cable or turn off Wi-Fi - to stop the ransomware spreading to other machines. Do not pay the ransom. Report the incident to CERT NZ, and if patient data may have been accessed, notify the Office of the Privacy Commissioner at privacy.org.nz. Your IT support provider should be your first call once the machine is isolated. Practices that have dedicated IT support for healthcare in place before an incident are far better positioned to recover quickly and meet their reporting obligations.

Preventing ransomware from taking hold is not a one-off task. It requires software that is kept current, staff who know what a phishing email looks like, access controls so that not every person in the practice can reach every file, and backups that actually work. One threat that is easy to overlook is ransomware targeting cloud-based tools your practice may already use, which does not behave like a traditional attack. For more on how to think about cyber risk across a healthcare or professional services practice, the ITstuffed cyber security page covers the layered approach in plain terms.

ITstuffed works with small practices across Canterbury to make sure these protections are in place and maintained. If you want to know where your practice stands, a 15-minute IT Fit Check with one of our engineers is a good starting point. Book one at /booking.