More than four in five US physicians (83%) have experienced some form of a cyber attack, according to new research by the American Medical Association (AMA) and Accenture.
Fifty-five percent of the 1300 physicians who responded to the AMA/Accenture survey were very or extremely concerned about future cyberattacks in their practice. Physicians were most concerned that future attacks could interrupt their clinical practices (74%), compromise the security of patient records (74%), or affect patient safety (53%).
"The important role of information sharing within clinical care makes health care a uniquely attractive target for cyber criminals through computer viruses and phishing scams that, if successful, can threaten care delivery and patient safety," AMA President David O. Barbe, MD, said in a press release. "More support from the government, technology and medical sectors would help physicians with a proactive cybersecurity defense to better ensure the availability, confidentially and integrity of health care data."
The findings show the most common type of cyber attack was phishing — cited by 55% of physicians who experienced an attack — followed by computer viruses (48%). Physicians from medium and large practices were twice as likely as those in small practices to experience these types of attacks.
Nearly two thirds (64%) of all the physicians who experienced a cyber attack had up to 4 hours of downtime before they resumed operations, and 29% of physicians in medium-sized practices that were attacked said they experienced almost a full day of downtime.
Eighty-five percent of the respondents believe it is very or extremely important to share personal health data outside of their healthcare organization — they just want to do it safely. Two thirds believe that greater access to patient data both inside (cited by 67%) and outside (65%) their organization would help them provide high-quality patient care more efficiently.
Nothing in the survey results indicated that health information exchange raised the odds of cyber attacks on practices. According to a recent report on hacking of healthcare providers, insider threats, such as staffers falling for phishing attacks, play a leading role in healthcare breaches overall. The report from Protenus indicated that 41% of data breaches in 2017 were tied to insider errors or wrongdoing. A 2014 report by Forrester Research stated that lost or stolen mobile devices were implicated in 39% of healthcare security breaches.
The AMA/Accenture survey results reinforce the fact that small and medium-sized practices — not just big groups and healthcare systems — are now targets of cyber thieves. Among the 388 security breaches under investigation by the Office for Civil Rights of the Department of Health and Human Services, for example, are incidents that occurred in family medicine practices in Virginia, Colorado, and Kansas; an oncology group in North Carolina; an obstetrics/gynecology practice in Texas; and an otolaryngology group in New Jersey.
The new research shows that 56% of physicians alert their health information technology (IT) vendor when a cyber attack occurs. Thirty-seven percent have obtained security training from their health IT vendor. Forty-nine percent of the respondents have in-house security officers, which are more common in larger practices. Eighty-seven percent of the physicians believed their practice was compliant with the Health Insurance Portability and Accountability Act (HIPAA) security rules, but two thirds of the respondents had basic questions about HIPAA.
"Physician practices should not rely on compliance alone to enhance their security profile," said Kaveh Safavi, MD, JD, head of Accenture's global health practice. "Keeping pace with the sophistication of cyberattacks demands that physicians strengthen their capabilities, build resilience and invest in new technologies to support a foundation of digital trust with patients."
A third of the physicians expected to adopt telemedicine, and 28% of them said they were likely to adopt patient-generated health data within the next year. However, physicians who were interviewed still expressed concern over the security and HIPAA implications of telemedicine.
