By Elizabeth Snell
An AMA study found that 83 percent of US physicians experienced a cybersecurity attack, with healthcare phishing being the leading cause.
Healthcare organizations should consider increasing their cybersecurity measures as 83 percent of physicians report they have experienced a cybersecurity attack, according to research from Accenture and the American Medical Association (AMA).
Approximately 1,300 US physicians were interviewed and asked about their experience and attitudes toward cybersecurity, data management and HIPAA compliance.
Fifty-five percent of respondents said they were very or extremely concerned about future cyberattacks affecting their organization. Clinical practices being interrupted was a top concern for 74 percent, followed by compromised patient record security (74 percent), and patient safety being impacted (53 percent).
The majority of physicians – 85 percent – also said that it is very or extremely important to securely share personal health data outside of their health system. Sixty-seven percent stated greater access to patient data inside their health system could help provide more efficient quality patient care. Sixty-five percent said greater access to data outside of the help system would help achieve the same goal.
HIPAA compliance alone is insufficient, according to 83 percent of physicians. Healthcare should adopt a more holistic approach to assessing and prioritizing organizations’ risks, the survey found.
“The important role of information sharing within clinical care makes health care a uniquely attractive target for cyber criminals through computer viruses and phishing scams that, if successful, can threaten care delivery and patient safety,” AMA President David O. Barbe, M.D., M.H.A., said in a statement. “New research shows that most physicians think that securely exchanging electronic data is important to improve health care.”
“More support from the government, technology and medical sectors would help physicians with a proactive cybersecurity defense to better ensure the availability, confidentially and integrity of health care data,” he continued.
Healthcare phishing was the most common type of cyber attack, the report found, with 55 percent of respondents saying they experienced it. Just under half of surveyed physicians – 48 percent – said a computer virus led to a cybersecurity attack.
Sixty-four percent of respondents reported that their organization experienced up to four hours of downtime before operations could resume in the wake of an attack. Approximately one-third of medium-sized practice physicians said a cyberattack led to nearly one full day of downtime.
The majority of physicians – 65 percent – said they notify an internal IT group in response to a cyber attack. That was followed by notifying/educating employees (61 percent), implementing the practice’s corresponding written policies and procedures (59 percent), and notifying the EHR or health IT vendor (56 percent).
Half of surveyed physicians said they have a designated in-house security official, with 17 percent of respondents saying they do not have one but are interested in having the position.
Twenty-six of those surveyed reported that they use outsourced security management, while 23 percent said they utilize shared security management (i.e., with another practice in their area).
When it comes to cybersecurity-related training content, most respondents said the content is generated by an IT vendor. Thirty-seven percent said their vendor develops the training content, with 20 percent reporting that an individual in their practice does so. Eighteen percent said another type of third party develops the training content.
Telemedicine, patient-generated health data, and risk-based security analytics were the top three new technologies most likely to be adopted in the next year, the survey showed.
Respondents also listed the following areas where more information could help them stay confident in their practice’s security:
- Tips for good cyber hygiene – 50 percent
- Simplifying the legal language of HIPAA – 47 percent
- Easily digestible HIPAA summary – 44 percent
- An explanation of the more complicated HIPAA areas – 40 percent
- A how to guide for conducting a risk assessment – 38 percent
“Physician practices should not rely on compliance alone to enhance their security profile,” Accenture Global Health Practice Head Kaveh Safavi, M.D., J.D., said in a statement. “Keeping pace with the sophistication of cyberattacks demands that physicians strengthen their capabilities, build resilience and invest in new technologies to support a foundation of digital trust with patients.”
Implementing the latest technologies can be beneficial for healthcare organizations, but entities must also take the time to properly educate all employees on how to avoid a potential healthcare cybersecurity attack.