According to results of a startling new survey, four in five doctors (or 83 percent) have experienced a cyberattack of some kind, with the most common attack being phishing (55 percent of those surveyed), followed by viruses (48 percent).
The survey, which was conducted by Accenture and the American Medical Association (AMA), drew on responses from 1,300 physicians in the US. Unsurprisingly, 55 percent of respondents stated they were very or extremely concerned about a cybersecurity event striking their practice. These results come at a time when data sharing between providers—and providers and patients—is at an all-time high, with the adoption of electronic health records (EHRs), health information exchanges (HIEs), and an increase in the popularity of mobile health devices.
As noted in the survey, 85 percent of physicians believe it is very or extremely important to share personal health data outside of their health system so long as it’s accomplished securely. What’s more, 83 percent of physicians said that HIPAA compliance alone is insufficient and that a more holistic approach to assessing and prioritizing risks is needed, according to an AMA news release about the survey.
In response to urgent cybersecurity concerns in the physician community, AHIMA has released guidelines for providers looking to implement cybersecurity prevention measures, including actions that can be started immediately as well as comprehensive efforts that require more long-term commitments.
The document, “AHIMA Guidelines: The Cybersecurity Plan,” stresses the importance of implementing an information governance (IG) program to combat cyber threats as well as other privacy breaches, but it also includes a 17-step plan for preventing attacks and responding quickly when they happen.
Some of those steps include:
- Conduct a risk analysis of all applications and systems
- Patch vulnerable systems
- Encrypt work stations, smartphones and tablets, and portable media and backup tapes
- Develop incident response capability
- Evaluate business associates
- Improve tools and conduct an internal phishing campaign—this should train employees on identifying suspicious emails that are the hallmarks of phishing attempts
- Hire an outside security firm to conduct technical and non-technical evaluations
- Recognize record retention as a security threat
“Once an IG program is created and implemented, a cybersecurity plan should be reviewed at least quarterly to ensure the organization is doing everything possible to prevent or detect an attack,” AHIMA’s guidelines state.
To download the guidelines, click the link or PDF icon at the top of this post.