With hacking on the rise, physician records at risk

The numbers are staggering: Nearly one in every three Americans have had their medical records compromised, with more than 112 million healthcare records breached last year alone.

Related: It's time for EHRs to solve problems for doctors rather than cause them

Yet despite those figures, as reported by HHS’ Office of Civil Rights, a majority of doctors surveyed say they are not worried about the security of the patient health information residing in their electronic health record (EHR) systems.

More than half (58%) of physicians say they are not concerned about the security of the data contained in their EHRs, according to Medical Economics’ exclusive 2016 EHR Report.

Medical Economics asked 2,129 physicians: “Are you concerned about the security of the data contained in your EHR system and the potential for a breach?” Of the 2,111 who replied, 879 said yes while the other 1,232 said no.

Moreover, the survey found a difference in how physicians in small practices view the risk compared with how doctors in larger practices see the issue: physicians in smaller practices generally indicated less concern about data security than did their counterparts in larger practices.

Some 63% of single-physician practices say they’re not concerned vs. 36% who say they are, and 60% of those in practices with two to five physicians say they’re not concerned about the security of their patient data compared with 39% who say they are. (In both cases, 1% did not respond.)

Compare those numbers to the responses from physicians working in practices with more than 100 doctors. Among those respondents, 53% say they’re not concerned while 45% say they are.

Steven J. Stack, MD, immediate past president of the American Medical Association,  has a different perspective on the levels of concern that doctors have expressed on the topic of data security. He says doctors recognize the risk and do what they can to mitigate it and then move on to other worries-namely, their core area of expertise of providing medical care.

“It’s not a lack of concern, but a sense that ‘I have as much control over data security as I do over preventing a nuclear war, so I’m not going to dwell on it and I’m going to focus on more immediate concerns like: was I a good enough doctor to that patient who came in with a problem?’” Stack says. 

 He adds: “Physicians in a small office can certainly influence policies and procedures for account security, passwords and things like that, but when they see in the newspapers that Target and Sony and the Office of Budget and Management are having their data breached, they wonder how in the world can a two- or three-person practice have anything in their control to stop it?”

Next: Small practices, big risk

Small practices, big risk

Raj Mehta, CISA, CISSP, partner at Deloitte & Touche LLP and healthcare providers sector leader for Deloitte Advisory Cyber Risk Services, says physicians at small practices don’t have as many opportunities to understand the magnitude of security threats they may face, which contributes to the differences in the Medical Economics findings.

Further reading: Will your system be ready for EHRs and Medicare reform?

“They don’t have a full understanding of what’s going on and how bad actors are targeting healthcare,” he says. “Typically, they don’t have a dedicated IT person who understands this space, who understands the risk, or who sees it on a day-to-day basis, so there’s probably a lack of awareness.”

While small practices may think they are too small to be hacked, Mehta notes that healthcare records, with their trove of personal, financial and medical information, are valuable to cybercriminals, so they’ll go after even a small office to get them. Cybercriminals may also target small practices because they see them as a possible easy entryway into larger healthcare systems that may have more robust security, but a bigger payoff in terms of number of records they could steal.

Lee Kim, JD, director of privacy and security at the Healthcare Information and Management Systems Society (HIMSS), says doctors at smaller practices, who are often tasked with overseeing the practice’s IT strategies, don’t have time to study cybersecurity and so don’t realize they’re still at risk even with cyber defenses in place.

“Even if you buy software that’s supposed to protect you, there are just so many ways into your electronic systems. People don’t realize how easy it is to get someone’s password or fall for a phishing email,” she says. 

Larger practices, on the other hand, usually have dedicated IT staff and often even IT security experts who educate doctors and their support staff about cyber threats, Kim says. “These larger guys are more savvy. They have actual security staff and they’re sharing information with their peers and they’re more aware of the reality,” she says.

Other pressing issues for Today’s physicians

Physicians at smaller practices already have so many other, more immediate concerns that they’re not able to focus as much on cybersecurity. “A lot of these guys are overwhelmed with all the other things they have to do with laws and regulations and quality measures and what’s involved in terms of running a business and all that’s involved in taking care of their patients that they’re not able to worry about data security,” Kim says.

Next: If you're not worried, you should be

Daniel Nutkis, chief executive officer of the Health Information Trust Alliance (HITRUST), an industry association founded by the chief information security officers of large healthcare organizations, says his organization has wrestled with this disconnect between lack of concern and reality for years. While he also sees that smaller practices tend to have the biggest disconnect, Nutkis says the healthcare industry as a whole doesn’t fully appreciate the extent of today’s cyber threats.

Nutkis says the fact that most cyber criminals try to hide their actions is part of the reason why the majority of doctors say they’re not concerned about the patient data in their EHRs; they don’t realize how prevalent it is. He points to a 2015 HITRUST study that found 52% of the 60 hospitals sharing data with the organization had undetected malware residing on their networks.

Further reading: The challenges of switching EHRs

“Hackers in the past wanted to get in and get out and not be detected, so there was a little bit out of sight, out of mind happening,” Nutkis says, adding that these kinds of attacks often don’t disrupt day-to-day operations at healthcare organizations.

That lack of impact on operations could be another reason why many doctors report not being concerned about data security. “There’s a lot going on that organizations aren’t cognizant of, and we continue through our studies to prove that that’s the case,” Nutkis says. 

Some high-profile events this year have helped draw awareness to cybersecurity, Nutkis says. He cites ransomware attacks, such as those that hit Hollywood Presbyterian Medical Center in Los Angeles and Methodist Hospital in Henderson, Kentucky, in which cybercriminals installed ransomware on the hospitals’ networks, locking down their systems and then demanding ransom to release them. “We noticed when ransomware started to impact operations,” he says, “people took [cybersecurity] very serious.”