HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

AMA Study Reveals 83% of Physicians Have Experienced a Cyberattack

Following the HIMSS Analytics/Mimecast survey that revealed 78% of healthcare organizations have experienced a ransomware or malware attack in the past 12 months, comes a new report on healthcare cybersecurity from the American Medical Association (AMA) and Accenture.

The Accenture/AMA survey was conducted on 1,300 physicians across the United States and aimed to take the ‘physician’s pulse on cybersecurity.’ The survey confirmed that it is no longer a case of whether a cyberattack will be experienced, it is just a matter of when cyberattacks will occur and how frequently.

83% of physicians who took part in the survey said they had previously experienced a cyberattack. When asked about the nature of the cyberattacks, the most common type was phishing. 55% of physicians who had experienced a cyberattack said the incident involved phishing – A similar finding to the HIMSS Analytics survey which revealed email was the top attack vector in healthcare.

48% of physicians who experienced a cyberattack said computer viruses such as malware and ransomware were involved. Physicians at medium to large practices were twice as likely to experience those types of cyberattacks than those at small practices.

When cyberattacks occur, they can result in considerable downtime. 64% of physicians said they experienced up to 4 hours of downtime following an attack, while 29% of physicians at medium-sized practices experienced downtime of up to one day.

Given the frequency of cyberattacks and the difficulty physician practices have at preventing those attacks, it is not surprising that the threat of attack is a major cause of concern. 55% of physicians were very or extremely worried about further cyberattacks at their practice. 74% said they were most concerned that future attacks would disrupt clinical practices and the same percentage were concerned that cyberattacks would result in breaches of patients’ protected health information. 53% were concerned that cyberattacks would have an impact on patient safety.

Physicians are aware that HIPAA compliance is important for cybersecurity, but simply doing the minimum and ensuring HIPAA requirements are met is not sufficient to prevent attacks. 83% of physicians said a more holistic approach to prioritizing risks is required than simply complying with HIPAA.

Kaveh Safavi, head of Accenture’s global practice said “Physician practices should not rely on compliance alone to enhance their security profile. Keeping pace with the sophistication of cyberattacks demands that physicians strengthen their capabilities, build resilience and invest in new technologies to support a foundation of digital trust with patients.”

Interestingly, while 87% of physicians believed their practice was compliant with HIPAA Rules, two thirds of physicians still have basic questions about HIPAA, suggesting their compliance programs may not be quite as comprehensive as they believe.

While the sharing of ePHI can introduce new risks, 85% believed PHI sharing was important, and 2 in 3 physicians thought that more access to patient data could improve the care provided to patients.

“New research shows that most physicians think that securely exchanging electronic data is important to improve health care. More support from the government, technology and medical sectors would help physicians with a proactive cybersecurity defense to better ensure the availability, confidentially and integrity of health care data,” said AMA President David. O. Barbe.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.