Stop the Insanity: Physician’s Information Security Practices Must Change to End Cyberattacks

By David Holtzman, JD, CIPP/G, VP, Compliance Strategies,  CynergisTek
Twitter: @cynergistek
Twitter: @HITPrivacy

New data reporting on the incidence of malware and ransomware incidents in healthcare find that the majority of physicians are experiencing cyberattacks while many fear they are in the line of fire for future attacks. At the same time, most providers believe their practices are complying with the HIPAA security requirements. These surveys of physician sentiment stand in stark juxtaposition to the results of HIPAA compliance audits conducted over five years that found very few providers have adequate information security management practices to safeguard their data.

A survey of 1,300 physicians conducted earlier this year by the American Medical Association and Accenture found that four out of five had experienced some form of a cyberattack, such as a phishing or malware episode. 55% of physicians responded they are worried about future cyberattacks. Similarly, a survey of hospital staff by HIMSS Analytics and Mimecast found three out four organizations said they had a malware or ransomware attack in the last year, with one in five responding that they experienced 16 or more malware incidents during that period. Despite the majority of health care providers experiencing cyberattacks, 87% of physicians responding to the AMA survey said their practices were “HIPAA compliant” although 66% had questions about the basic requirements of the HIPAA rules.

OCR reports their audits of information security management practices found very few health care providers surveyed had adequate information security management programs that could help detect or protect against cyberattacks. The 2016 audits of compliance with the HIPAA Security Rule looked at 60 health care providers evaluating how they met requirements to conduct information risk analysis and have risk management plans to safeguard e-PHI. OCR found that 83% of these covered entities had inadequate risk analysis policies or failed to have conducted appropriate conduct risk assessments. 94% of the health care providers failed to have adequate security management policies or risk management plans to fix the gaps that make them vulnerable to cyberattacks.

For years, there have been warnings that smaller healthcare providers were not putting into place needed safeguards to protect electronic health information by identifying or manage threats to their information systems. In 2012, OCR found that 80% of the health care providers selected for compliance audits had not completed an accurate risk assessment of their health information systems. Industry and medical professional associations have consistently linked the relationship between incidence of malware and ransomware attacks with the failure of smaller health care providers to adopt basic information security practices.

Albert Einstein said, “…insanity is doing the same thing over and over again, but expecting different results.” Einstein never could have envisioned that he could be describing the approach physicians take to protect their information systems from rampant cyberattacks.