New research sponsored by the AMA and consulting firm Accenture has concluded that cyberattacks on medical practices are common – in fact, far more common than one might think.
Not only do these numbers suggest patient data is far more vulnerable than expected, it suggests that clinicians are often poorly educated about security and the implications of handling it badly. It’s fair to say that unless this trend is turned around, it could undermine industry efforts to build trusting relationships with patients and encourage them to engage in two-way data exchange.
The study found that most physicians (85%) think that sharing electronic protected health information is a good idea and that two-thirds believe that giving patients more access to their health data would improve care. One-third of respondents said that they share ePHI if they trust the vendors involved.
Thirty-seven percent get training content on security from their health IT vendor, and 50% said they trust these training providers are sure the content is adequate. However, this may be a mistake. While 87% of respondents said that their practice is HIPAA-compliant, the study also found that two-thirds of doctors still have basic questions about HIPAA. It’s clear, in other words, that trusted relationships aren’t doing the job here.
In fact, an eye-popping 83% of medical practices have experienced some form of cyberattack such as malware, phishing or viruses. Not surprisingly, 55% of physicians surveyed are very worried about future cyberattacks. Unfortunately, worrying is what many people do instead of taking action, and that may be what’s going on here.
What makes these lax attitudes all the more problematic is that when attacks occur, the effect can be very substantial. For example, 74% of respondents said that a cyberattack was likely to interrupt their clinical practice, and 29% of doctors working in medium-sized practices said that it could take up to a full day to recover from an attack, a crippling length of time for any small business.
So what are practices willing to do to avoid these problems? Among these respondents, 60% said they would pay someone to create a security framework to protect ePHI. Also, 49% of practices surveyed have in-house security staffers on board. However, it should be noted that three times more medium and large practices have such an officer in place compared to smaller medical groups, probably because security expertise is very pricey.
However, probably the most valuable thing they can do is the least expensive of the list. Every practice should require that physicians stay current at least on HIPAA and cybersecurity basics. If medical groups do this, at least they’ve established a baseline from which they can work on other security issues.