When a global cyberattack crippled several major health systems in mid-2017, Northwell Health wasn’t taking any chances. The company’s IT staff spent an entire weekend updating its software and information systems to prevent being infected by the circulating viruses.
“We weren’t directly impacted by the attack, thankfully,” says Mark Jarrett, MD, senior vice president and chief quality officer at Northwell, New York state’s largest health system. “But it was a wake-up call.”
Cyberthieves have increasingly set their sights on health care organizations, which include everything from large health systems to small individual practices. The reason: Health care organizations and practices hold troves of sensitive patient information. A recent survey of 1,300 physicians nationwide sponsored by the American Medical Association found that 83 percent of doctors have experienced some form of cyberattack, and just over half are “extremely” worried about future attacks.
Understanding the Risks
If and when health care providers do experience a cyberthreat, they may temporarily lose access to patients’ medical records, says AMA President David Barbe, MD. “Cybersecurity isn’t just a technical and policy issue; it’s a patient safety issue,” he says. “If physicians don’t have access to their records—patient histories, what medications they’re on—it will be difficult to provide appropriate care.”
83 percent of doctors have experienced some form of cyberattack, and just over half are “extremely” worried about future attacks.
The risks go much further than that, though, Dr. Barbe adds. One of the inherent values of electronic medical records, which many health providers use today, is they can be shared between practices. But if any one system storing them is not completely secure, it becomes a gateway for enabling thieves to access connected databases that may contain information for countless more patients.
That’s a real threat: For all the focus on the financial risks of identity theft, medical experts say the risks of medical identity theft are actually far worse. “If someone uses stolen credentials and gets bypass surgery, now the person whose identity was stolen has on their medical record that they had bypass surgery—which suggests they have major health issues,” Dr. Jarrett says. Getting medical identity theft corrected can be very difficult, if not impossible. It can also lead to being turned down for future health care or life insurance, not to mention the possibility of getting billed for the costs incurred by that surgery.
Closing the Security Gaps
Many large health care organizations have a dedicated IT staff and therefore may be better equipped to deal with cyberthreats as they arise. Small and midsized practices, on the other hand, often suffer more severe immediate consequences, Dr. Barbe says. The AMA study found that 74 percent of doctors cite practice interruption as their greatest concern—with nearly 30 percent of midsize practices saying it took them up to a full day to recover from an attack.
Many physicians surveyed reported wanting more support, including a simplified summary and checklist of HIPAA guidelines—federal regulations meant to secure patients’ health records—accessible tips for good cyber hygiene, and a how-to guide for assessing cybersecurity risks.
74 percent of doctors cite practice interruption as their greatest concern—with nearly 30 percent of midsize practices saying it took them up to a full day to recover from an attack.
To address growing concerns about health care cybersecurity, the U.S. Department of Health and Human Services convened a task force in 2016, on which Dr. Jarrett served. The task force issued a report in June 2017 that contained recommendations for how the industry can address these issues, including establishing a “cybersecurity leader” within the HHS; increasing the security of medical devices and health IT; training the medical workforce on cybersecurity best practices; and improving how information on threats and potential fixes is shared among people in the industry.
“We need to figure out a way to support small office practices that don’t have the resources,” Dr. Jarrett says. “It’s hard because if you’re in a three-person practice, you’re busy practicing.”
The AMA study found that many small physician practices don’t have in-house cybersecurity resources, instead relying on third-party IT vendors for support. The IT vendor therefore plays a key role in helping practices both prevent attacks and manage them when they do occur.
Though more must be done at a federal level to help physicians and practices improve their cybersecurity, there are some current resources that can help, Dr. Jarrett says. The AMA, for example, provides cybersecurity tips and guidancefor practices, such as a checklist for securing office computers. It’s also important that practices train their employees on how to identify and prevent social “phishing”—fraudulent emails that look authentic to obtain sensitive information. Dr. Jarrett’s office, for example, sends out test phishing emails to educate its staff on the importance of caution in opening emails and clicking links.
The AMA also offers physicians and practices support at every level it can, Dr. Barbe says. “We encourage health IT developers to build safe and secure technologies and for large health systems to coordinate with physician practices in their communities—and the federal government to incentivize good cyber hygiene without creating additional physician burden.” He adds: “It’s important to meet physicians where they are and provide education and training in a way that resonates with them.”