These include defrauding payers by putting false diagnosis and treatment information into the record or hacking into systems, bypassing medical device cybersecurity measures in a way that could threaten patient care.
Cyberattacks are common in clinical practices. More than four out of five physicians have been a victim of some type of cyberattack, with “phishing” being the most common (55 percent).
Phishing uses sham emails to entice recipients to reveal sensitive information—such as passwords—or trigger malware, including ransomware that blocks access to patient records and other vital practice information until an untraceable online payment is made. Nine percent of respondents reported that their practice’s information was held in a ransomware scheme.
The next most common attack involves computers being infected with viruses or malware via a downloaded file.
Cyberattacks cause operational interruptions. Both electronic health record (EHR) security breaches where patient data was compromised and interruption of practice operations because EHR access was blocked were cited by 74 percent of responding physicians as a top cybersecurity concern.
One in three physicians said their practice experienced a cyberattack-related business shutdown. Here is how long these physicians’ practice systems were down:
- Four hours or less—64 percent.
- Five to seven hours—20 percent.
- One to two days—12 percent.
- More than two days—4 percent.
Most physicians think sharing information is important. Eighty-five percent of physicians believe sharing electronic protected health information was “very” or “extremely” important.
But integrated care arrangements are only as strong as their weakest link. To securely share data, physicians need to work together and practice good “cyber hygiene” to protect the entire electronic health care ecosystem.
The AMA advocates that the federal government offer positive incentives—not just penalties—to encourage physicians to bolster their security systems. Incentives could include creating Improvement Activities within Medicare’s Merit-based Incentive Payment System (MIPS) that provide credits for implementing good cybersecurity practices.
Physicians “are not the best situated to mitigate risks, and are not necessarily experts in understanding the underlying technological specifications. Nonetheless, it is physicians who are at risk of liability and potential government enforcement actions,” AMA Executive Vice President and CEO James L. Madara, MD, wrote to Congressional leaders examining health care cybersecurity issues.
Physicians rely on third-party cybersecurity assistance. Almost half of physicians have an in-house security official, but only 20 percent of small practices do and they typically trust health IT vendors to provide cybersecurity support. About one-quarter of physicians outsource security management and 28 percent said they do not, but are interested in doing so.
Seventeen percent have received donated security-related hardware or software from other provider groups, hospitals or health systems. Another 29 percent have not received such donations, but are interested in receiving them. The AMA is working on ways to help physicians receive these donations while remaining in compliance with laws and taking proper cybersecurity measures.
“Allowing hospitals and other large providers to share and donate cybersecurity support to physicians will help ensure the security of patient information and improve care coordination among the ecosystem,” Dr. Madara wrote in a letter to the Department of Health and Human Services.
The AMA advocates increased support from the federal government to help practices bolster their breach resilience. A new AMA-endorsed law directs federal agencies to dedicate cybersecurity resources to small business—including physician practices.
The AMA offers physician cybersecurity tips to protect patient health records and other data from cyberattacks.
New technologies bring new challenges. EHRs are not the only technology that produces medical information security challenges. One-third of physicians said they will adopt telemedicine with the next year, and 21 percent report they will do so within one to two years. Also, 28 percent reported that they expect to receive patient-generated health data within the next year, and 27 percent said they will do so within one to two years.
Half the physicians surveyed also said they would like to receive tips on good cyber hygiene. The AMA offers advice on protecting patient data from viruses, malware and hackers on its Physician Cybersecurity webpage. A safety checklist for office computers is also available.
Research published in JAMA, “Temporal Trends and Characteristics of Reportable Health Data Breaches, 2010-2017,” delves into the 2,149 breaches reported to the Department of Health and Human Services between 2010 and 2017.