Physician cybersecurity

Contents

Current threats
How to defend against cyber-attacks
EHR and HIPAA considerations
Private practice resources
AMA advocacy on cybersecurity

Viruses, malware and hackers pose a threat to patients and physician practices. The AMA has curated resources and tips for physicians and health care staff to protect patient health records and other data from cyberattacks.

Is your health system on the list?

Read the 2024 AMA Joy in Medicine™ magazine to see if your organization has been recognized for dedication to physician well-being.

Learn More

Current threats

Reports surface about health data breach at Oracle Health

There are multiple reports about a possible breach of patient data at Oracle Health. Although Oracle Health has not yet publicly confirmed a breach, multiple sources indicate an older, legacy Cerner system (which Oracle Health acquired in 2022) was breached and data was exposed from hospital customers being migrated into the Oracle Health platform. The breach occurred sometime after Jan. 22, 2022, and reports indicate that Oracle Health first detected an intruder in their systems on Feb. 20.

We encourage physician practices to reach out to their representatives from Oracle Health/Cerner to determine if their patient data is included as part of the breach. We will continue to provide updates as more information becomes available.

ChatGPT vulnerability

A ChatGPT vulnerability identified last year is being used by cyberthreat actors to attack security flaws in artificial intelligence systems, according to a March 12 report by Veriti, a cybersecurity firm. The National Institute of Standards and Technology lists the vulnerability as medium risk, but Veriti said it has been used by cyberthreat actors in more than 10,000 attack attempts worldwide. Health care organizations are among the top targets for the attacks. The attacks could lead to data breaches, unauthorized access, regulatory penalties, and reputational damage. It is recommended that health care organizations reach out to their technology vendors to identify any potential risks and need for preventative measures.

Change Healthcare cyber issue

On Wednesday, Feb. 21, Change Healthcare began experiencing a cyber security issue and isolated its systems to prevent further impact. Optum, UnitedHealthcare, and UnitedHealth Group (UHG) systems were not affected by the issue, according to information provided by UHG. UHG has indicated they have taken appropriate action to contain the incident so that customers and partners do not need to sever network connections and disrupt vital services. Learn more.

Picture Archiving Communication Systems (PACS) vulnerability

Picture Archiving Communication Systems (PACS) are widely used by hospitals, research institutions, clinics and small health care practices for sharing patient data and medical images. In 2019, researchers disclosed a vulnerability in these systems that if exploited could potentially expose patient data. PACS servers are easily discoverable by attackers using simple open source scanning tools. If left unpatched, these systems can expose patient records to unauthorized access. Infected PACS servers can also compromise connected clinical devices and spread malicious code to other parts of your office network. There continues to be a number of unpatched PACS servers still in use today.

The AMA recommends that physicians reach out to their PACS vendors about patching their systems. More information about this vulnerability can be found on this Health Sector Cybersecurity Coordination Center alert (PDF).

Potential Russian cyberattack fact sheet

In a recent brief, the Biden-Harris administration urged the nation’s critical infrastructure, including health care organizations, to harden cyber defenses to prepare for potential Russian cyberattacks. “Based on evolving intelligence” the brief states “the Russian Government is exploring options for potential cyberattacks.” Organizations are advised to mandate multi-factor authentication, protect against known vulnerabilities, back up and encrypt data, and drill emergency plans to prepare for cyberattacks.

Organizations are also encouraged to engage proactively with their local FBI field office or CISA Regional Office to establish relationships in advance of any cyber incidents. For instance, your organization's information technology and security professionals should visit the websites of CISA and the FBI where they will find technical information and other useful resources to help strengthen your medical practice’s cybersecurity.

Privacy and security risks from online tracking technologies

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) are cautioning hospitals and telehealth providers about the privacy and security risks related to the use of online tracking technologies that may be integrated into their websites or mobile apps and may be disclosing patients’ sensitive personal health data to third parties. Tracking technologies are used to collect and analyze information about how users interact with websites or mobile apps and may continue to track users and gather information about them even after they navigate away from the original website to other websites.

Ransomware and email phishing attacks are on the rise

Ransomware is a form of malicious software designed to encrypt files on a computer or other device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption. Ransomware actors often target and threaten to sell or leak data (e.g. business and patient records) or authentication information (e.g. usernames and passwords) if the ransom is not paid. This is particularly concerning if a health system’s EHR or other medical technology is infected. In recent years, ransomware incidents have become increasingly prevalent among health care organizations.

A main conduit for ransomware is your office’s email systems. Email is the preferred attack vector for malicious phishing campaigns. By mentioning current events, threat actors carrying out attacks can craft emails that are likely to capture recipients’ attention and lure them to click a link or download a file containing malicious code—this is referred to as phishing. Given the recent shift to more telework and remote options, organizations and workers face increased risk of falling victim to phishing emails and cyberattacks.

The HHS and the U.S. Cybersecurity & Infrastructure Security Agency (CISA) have created resources and guides to help medical practices and other small business protect against ransomware and phishing:

Counter Phishing Guide (PDF)
Ransomware (PDF)

How to defend against cyber-attacks

Strengthening Cyber Defenses: CISA’s Free Vulnerability Scanning Service

The Cybersecurity and Infrastructure Security Agency (CISA) offers a wide range of free tools and services to help organizations address their cybersecurity needs. One of the services provided by CISA is its vulnerability scanning tool which regularly monitors and assesses internet-connected technology to evaluate their security health. This tool checks for thousands of vulnerabilities, weak configurations, configuration errors, and poor security practices. By enrolling in CISA’s vulnerability scanning tool, health care organization owners and IT staff can make prioritized decisions to protect their medical practices from cyber threats and disruptions, while also identifying vulnerabilities, improving response strategies, and significantly reducing risk—all of which strengthen defenses against evolving cyber threats. To learn more about CISA’s vulnerability scanning tool, please visit the CISA webpage on the vulnerability scanning services.

New risk assessment tool available

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) and the Assistant Secretary for Technology Policy (ASTP) released a new version of the Security Risk Assessment (SRA) Tool. The SRA Tool is designed to aid small and medium-sized health care organizations in their efforts to identify and assess potential risks and vulnerabilities to electronic protected health information (ePHI) when conducting a risk analysis as required by the HIPAA Security Rule. Conducting an accurate and thorough risk analysis is a foundational activity to protect ePHI from cyber-attacks and to comply with the HIPAA Security Rule.

The downloadable SRA Tool is a desktop application that walks users through multiple choice questions to help identify and assess potential risks and vulnerabilities to ePHI. References and best practices to strengthen an organization’s cybersecurity posture are provided while using the tool.

AMA cybersecurity resources

The AMA has developed tips and advice on protecting your computers and network to keep your patient health records and other data safe from cyberattacks. Download and share with your staff and IT:

Creating an informative e-mail campaign

In an effort to spread awareness of cybersecurity across your organization, a packet of infographics, images and posters have been developed along with simple instructions to help you create an informative and engaging email campaign. The email campaign instructions and images can be found in the NCSAM Package.

Additionally, health care and security experts have developed a set useful materials to help guard your entire medical practice against cyberattacks. These materials have been designed with small to medium-sized medical practices in mind.

The main document (Health Industry Cybersecurity Practices) explores the five most relevant and current threats to physician offices and recommends 10 cybersecurity practices to help mitigate these threats. Technical volumes 1 and 2 provides the “how” so physicians and office administrators can implement these practices in their small, medium or large health care organizations.

Government resources for practices

In response to HOD policy, the AMA has developed several cybersecurity resources for physicians. In addition to what is found on this page, please see additional information (PDF) about government resources for practices, cyber hygiene services and Stark Law and Anti-Kickback Statute protections for donations of cybersecurity technology.

HHS Health Sector Cybersecurity Coordination Center launches cybersecurity website

The HHS Health Sector Cybersecurity Coordination Center (HC3) has recently launched a new website to help physicians and their medical practices be better informed about potential cyber threats. HHS is working with practitioners, health care organizations and cybersecurity experts to understand the threats facing the health care sector, learn the patterns and trends used by malicious actors, and provide information and approaches on how the medical practices and hospitals can better defend themselves.

New guide to assist your cyber hygiene

The HHS has released a cybersecurity implementation guide to help the public and private health care sectors prevent cybersecurity incidents. The "Cybersecurity Framework Implementation Guide," provides specific steps that health care organizations can immediately take to manage cyber risks to their information technology systems. Today's climate of increasingly sophisticated cyberattacks can negatively impact patient care, cripple business operations, expose sensitive health data and harm a practice’s reputation. Additionally, lack of attention to regulatory compliance increases the risk for fines and other penalties. The guide also contains information to assist small health care organizations.

New HSCC cybersecurity video series for physicians

Cybersecurity is a patient safety issue. The Healthcare Sector Coordinating Council (HSCC) has just released a new one-hour (total) cybersecurity video series to help clinicians better understand the ins and outs of cyber hygiene. The HSCC is a national public-private partnership dedicated to strengthening the nation’s health care critical infrastructure. This “Cybersecurity for the Clinician” video training series includes eight videos explaining in easy, non-technical language what clinicians and medical students need to understand about how cyber attacks can affect clinical operations and patient safety, and what you can do to help keep health care data, systems and patients safe from cyber threats.

EHR and HIPAA considerations

AMA comments on HIPAA security proposed regulation

The AMA offered comments (PDF) on the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) Health Insurance Portability and Accountability Act (HIPAA) Security Proposed Rule emphasizing that cybersecurity is a priority for physicians and a prominent patient safety issue. Physicians strive to appropriately secure patient data and want very much to do their part to ensure that their information technology (IT) systems deliver proper protections.

However, the AMA’s comments underscored the complexities of the proposals and how new rules need to differentiate between covered entities (CEs) that are not similarly situated and do not pose the same risk for industry disruption. OCR proposed to regulate physician practices as though they had the same attack surface and posed the same threat of industry disruption as giant, consolidated enterprises such as national health plans and clearinghouses. The comment letter made a case that this approach would impose excessive, unattainable, and inappropriate regulatory burdens on smaller, under-resourced practices.

The AMA recommended that the proposed rule be substantially revised, or absent significant changes, be withdrawn. To be successful, the AMA maintained that new regulations must recognize that physicians and patients need tools, as well as a skilled workforce to secure sensitive patient information in the digital sphere. These tools should consist of guidance, education, and resources to implement cybersecurity best practices, which must be affordable, attainable, and approachable for physicians without extensive health IT knowledge, experience, or budgets.

To address this need, the AMA has long supported positive financial incentives for physician practices to adopt cybersecurity best practices and help ensure bidirectional information sharing. Financial incentives are most effective when framed as a positive stimulus, as opposed to a penalty.

In addition, the current HIPAA Security Rule (finalized in 2003) included “required” as well as “addressable” implementation specifications. Essentially, implementation specifications designated as “required” were mandatory, while those implementation specifications designated as “addressable” allowed for flexibility based on the organization’s specific situation and risk assessment.

The flexibilities that accompanied the addressable implementation specifications were not included in the Proposed Rule. The AMA did not support this policy change and urged OCR to reinstate addressable implementation specifications to provide regulated entities, particularly rural and small- to medium-sized physician practices, with the flexibilities that they need to develop a cybersecurity posture appropriate to their practice environment and the resources that are available.

The AMA has long advocated for cybersecurity policy focusing on those larger entities in the health care sector where a breach can lead to major disruptions in care delivery and severely restrict patient access to care. Overall, the letter emphasized that the AMA wants to ensure that cybersecurity initiatives in the health care sector focus on safeguarding electronic protected health information and supporting robust delivery of patient care. Given the highly sensitive nature of an individual’s personal information, it is critical that cybersecurity programs support safeguards around patients’ and other individuals’ privacy interests and preserve the security and integrity of one’s personal information.

EHR cyber vulnerabilities

The HHS cyber agency published an updated threat brief (PDF) outlining common threats to electronic health records (EHR), including phishing attacks, malware, and cloud threats. While EHRs are important components in managing your patients’ electronic medical records, EHRs are valuable targets to cyber attackers because of the protected health information they contain.

Cyber threats can originate from criminals seeking to sell medical records on the dark web or black market. Cybercriminals may also lock down EHRs using ransomware and demand a ransom payment before access is restored to your EHR. Attacks may also originate from threat actors looking to disrupt the U.S. health care system. This brief helps EHR users understand vulnerabilities in their health information technology environment and provides guidance in identifying and preventing attacks—which is key to protecting EHRs and vital patient data.

HIPAA Security Rule for physicians and medical practices

The OCR and the National Institute of Standards and Technology (NIST) have published a resource for physicians and their medical practices to help bridge HIPAA security requirements and good cybersecurity practices. This resource can not only improve compliance with the law but also bolster your cybersecurity.

The publication provides an overview of the HIPAA Security Rule, strategies for assessing and managing risks to electronic protected health information (ePHI), suggestions for cybersecurity measures and solutions that physicians and medical practices might consider as part of an information security program, and resources for implementing and complying with regulations.

Protecting electronic health information

Most EHR systems have security features built in or provided as part of a service, yet they are not always configured or enabled properly. This can lead to unauthorized access to your patients’ electronic health information. It is important to learn about the basic features of your EHR and ensure they are functioning and are updated when necessary. Health care organizations—along with their EHR vendors—should make protecting their EHRs from cyber threats a top priority in order to keep their patients safe and secure. This document developed by the HHS (PDF) lists several resources that can strengthen the cybersecurity in your medical practice.

Strong authentication can protect patient records

Strong authentication is analogous to a locked door in the cyber world. Weak or non-existent authentication processes leave your computer network open to intrusion by malicious actors and increase the likelihood sensitive information will be compromised—including patients’ electronic health information and your EHR. Robust authentication serves as the first line of defense against malicious intrusions and attacks. The HHS has published guidance to help physicians implement stronger authentication processes to prevent many cyber-attacks.

Private practice resources

Cyber insurance and resources for small practices

The HHS cybersecurity advisory group recently posted a newsletter (PDF) highlighting several health care cyber articles. These include information on cyber insurance and incident response protocols for small medical practices.

Incident response is the ability to discover cyberattacks and prevent them from causing harm. Incident response is often referred to as the standard “blocking and tackling” of information security. Small organizations are often challenged by incident response management. HHS provides recommendations to establish and implement an incident response plan.

New tool to help small- and medium-sized medical practices assess security risks

The OCR and the Office of the National Coordinator for Health Information Technology (ONC) at the HHS have released version 3.4 of the Security Risk Assessment (SRA) Tool. This tool is designed to aid small- and medium-sized health care organizations in their efforts to assess security risks. Conducting a yearly security risk assessment is required to be compliant with HIPAA. The latest version of the SRA Tool contains a variety of feature enhancements based on user feedback and public input.

HHS HIPAA video series

The HHS has created several tools and resources to help medical practices defend against cyber-attacks. HHS’ first video includes examples of real-world cyber-attack trends and explores how implementation of appropriate HIPAA Security Rule safeguards can help detect and mitigate common cyber-attacks. The next video covers the HIPAA Security Rule’s Risk Analysis requirement. The webinar discusses how a thorough assessment of potential risks and vulnerabilities is key to good cyber-hygiene.

AMA advocacy on cybersecurity

The AMA continues its advocacy work to improve health care cybersecurity.

FEATURED STORIES

What doctors wish patients knew to improve their mental health

For millions with hypertension, home BP cuffs aren’t a good fit

AI in health insurance claims, why prior authorization is so difficult and how AMA fights to fix it

AI in health insurance claims, why prior authorization is so difficult and how AMA fights to fix it [Podcast]

Precision education

An end-of-life-care primer for your residency program’s learners

FREIDA™ by the numbers

Most-viewed residency programs by state

Trouble financing your move for medical residency? Consider this option

Credentialing 101: What resident physicians need to know

April 4, 2025: Advocacy Update spotlight on more flexibility to avoid MIPS penalties

April 4, 2025: Medicare Payment Reform Advocacy Update

September 2025 Practice Innovation Boot Camp

ChangeMedEd® 2025

Annual Meeting inauguration, travel, hotel and child care

Federation of Medicine

Medical education leadership opportunities

About the Council on Constitution & Bylaws (CCB)

2025 IMGS Annual Meeting agenda & resources

Resident & Fellow Section (RFS) leadership opportunities

Top news stories from AMA Morning Rounds®: Week of March 31, 2025

Economic Impact Study

Popular Searches