By Noell Saunders

More than 80 percent of physicians say they have experienced some sort of cyber attack, with phishing being the leading cause - according to new research released by the consulting firm Accenture and the American Medical Association.

The findings don't surprise Hongyi "Michael" Wu, director for Old Dominion University's Center for Cybersecurity Education and Research. He said the U.S. health care system relies heavily on digital systems to collect, store and share medical data to prevent medical errors, improve quality of care and decrease costs.

"It becomes mandatory for health care providers to store health information digitally, according to the Patient Protection and Affordable Care Act of 2010," Wu said. "Medical records include not only patients' medical information, but also payment and billing data, as well as other highly sensitive identity information such as social security numbers."

In the study, about 1,300 physicians across the United States were surveyed last summer about their experiences and feelings toward cybersecurity. More than half said they are "very worried" about future cyber attacks on their organizations.

"As more medical devices are connected to networks," Wu said, "they are also exposed to more cybersecurity vulnerabilities." He said the main problem is that the health care industry has traditionally underinvested in cyber technologies. If this continues, more cyber attacks will happen.

"Medical cyber defense systems have not kept up with the growth of digital health data," Wu said. "In addition, health care is one of the most regulated industries in the United States, which makes it slow in making changes in its system."

What's more interesting about the survey, he said, is that most of the physicians who participated think compliance with the Health Insurance Portability and Accountability Act is not enough. The U.S. legislation provides data privacy and security provisions for safeguarding medical information.

Wu said HIPAA is a good starting point, but more needs to be done to keep up in a rapidly changing field.

"HIPAA indicates (minimum) procedural requirements, but not specific techniques to implement protection," he said. "New attacks come out every year. It would be difficult for HIPAA to include requirements for all vulnerabilities."

Wu urged consumers to be more vigilant when it comes to safeguarding personal information.

"Patients need to understand the risk -- always pay attention to their credit cards and accounts, and monitor their bills for suspicious activity," he said. "Additionally, health care organizations need to work closely with medical information system vendors to make sure that adequate protection is put in place and patient safety concerns are addressed."

Related News Stories