Other cybercriminals just want to steal patient information outright. Medical files are highly valued in the world of financial fraud because of the depth of information they contain, far more exploitable than just a credit card number hacked from a retail site. But, increasingly, the concern is that patient information will be used in a wide variety of health care fraud. Fake claims to defraud payers also place false diagnosis and treatment information into the medical record of the legitimate patient whose data were hijacked. It is not only patient files that are at risk. Another serious concern, still mostly on the horizon, is the hacking through online connectivity and malware of medical devices—the FDA recently recalled nearly a half-million pacemakers because of that vulnerability—critical to patient care.
Still, there is no turning back on the positive uses of the technology and the AMA survey reports that 85 percent of the respondents believe it is important to have the ability to share patient electronic information. But they are critical of the public policy implementation that, after they were encouraged to go online, frustrates them when it comes to meeting the accountability standards Washington has set.
Cybersecurity's big practice costs
Meaningful use incentives—now part of Medicare’s Merit-based Incentive Payment System—put many physician practices on the road to online connectivity. The privacy enforcement standards under Health Insurance Portability and Accountability Act (HIPAA) set substantial penalties for violations. However, the complexity of HIPAA compliance has left physicians in a quandary—how to comply with elaborate requirements, explained in dense legalese, when the application of the law is in the real-life world of patient care.
The vast majority of physicians—87 percent—believe their practices are HIPAA compliant, but 83 percent believe HIPAA compliance is “insufficient.” They want to understand where their practice is at greatest risk so that attention and investment can be directed there. Many physicians say they want tips for good cyber hygiene, simpler legal language on HIPAA requirements, how-to advice on conduct cybersecurity risk assessments, and information on what to consider before hiring a consultant to help with HIPAA compliance.
Meanwhile, practices are running up six-figure annual cybersecurity bills. The amounts can be $250,000 per year for a nine-physician practice, or as much as $400,000 annually for a regional medical center with 50-plus physicians. To make the most effective use of the spending, it is important to establish a cybersecurity risk-management program. The AMA has partnered healthcare cybersecurity alliance HITRUST to help small- and mid-sized practices with dependable information and strategies, in a series of workshops in eight cities throughout the country, including Pittsburgh, Chicago, Cleveland and Dallas. See the complete list of upcoming dates and locations.
Physicians can get a quick start on understanding the issues with the AMA’s one-hour cybersecurity webinar Jan. 24, 2018. Online attendees will be informed on what the AMA is doing about awareness and understanding on the issue, and how physicians can advocate to protect their patients and gain insights into the shared responsibility for securing electronic patient information. Register.