It is no surprise that cybercriminals are taking dead aim at health care targets more frequently than in the past—and inflicting tremendous harm. Physician practices of all sizes must take steps to prepare and protect against these cybercriminals amid an ever-evolving threat universe.
The question is no longer if it will happen to you, but when. You can protect your practice and your patients by regularly reviewing your cybersecurity practices, strengthening your IT system safeguards and training your staff to recognize threats. As the physician’s powerful ally, the AMA offers a wealth of resources to help physicians protect patients’ health care records and data as well as your own internal practice information.
Health care sector at risk
Health care is a target-rich environment for cybercriminals for a host of reasons. The decadeslong shift from paper records to digital data, and the immense number of entry points that effective sharing of electronic health information requires, have placed more data about more patients at greater risk. While it has proved useful in detecting and preventing cybercrime, AI has also compounded the problems health care providers face by allowing hackers to launch large-scale, automated social engineering attacks and quickly identify areas of vulnerability within their targets, among other concerns.
In addition to financial information and Social Security and Medicare numbers, data breaches continue to yield confidential medical information that hackers use to commit identity theft, insurance fraud—or sell on the dark web to the highest bidder. Credit cards can be canceled, but information on electronic health records can be compromised for years—which is why stolen patient data can be worth more than 50 times more than a credit card number to a cybercriminal carrying out an attack.
The threats posed by phishing scams, ransomware attacks, spoofing, denial of service attacks and other types of cybercrimes continue to grow. So does their impact, as evidenced by the devastating blow suffered by Change Healthcare and its customers in February 2024. In addition to an excess of $1 billion in costs, perhaps as many as one-third of our nation’s population had sensitive health data exposed to the dark web.
More recently, the massive global IT outage triggered in July 2024 by a faulty software update issued by a single cybersecurity company emphasized the fragile nature of the global economy, and the risks of IT concentration and centralization within the computer networks upon which we all so heavily depend. Hospitals, health systems, medical labs and physician practices were all affected in varying degrees, and recovery was both labor-intensive and time-consuming.
Steps physicians can take
Maintaining robust cybersecurity in health care starts with conducting a thorough security risk analysis to assure full compliance with both the HIPAA Security Rule and several Medicare programs. But that is only a start. Like nearly every other aspect of health care, effective cybersecurity preparedness and resiliency requires a team effort to build a shared culture of security awareness throughout your organization. Building that culture requires regular training to help physicians and staff members recognize and avert phishing attacks, ransomware and other types of malware and spyware, and a host of other threats.
The AMA is eager to help physicians implement cybersecurity training. For example, the curated CME course called “Cybersecurity in Medical Practice” available on the AMA Ed Hub™ details how cyberattacks occur, their impact and consequences, and practical steps to protect against them. We also offer a checklist to help protect computers used in medical practices. Additional AMA cybersecurity resources and tips outline current threats and provide details on AMA cybersecurity advocacy at the national level. The AMA provides additional cyber resources on its cybersecurity landing page.
Also, federal agencies, including the Cybersecurity and Infrastructure Security Agency, offer vulnerability scanning and security assessment services along with other resources and expertise to help health care providers improve cybersecurity and safeguard their IT systems. The Department of Health and Human Services offers threat intelligence, information on best practices and additional resources geared to health care providers here.
Physicians function effectively in multiple roles, but we are not experts in cybersecurity. The AMA stands ready to help physicians and their practices achieve the highest possible level of preparedness, prevention and incident response so you can focus more effectively on patient care.
