Is your information technology secure against attacks?

MGMA poll finds only about half of respondents are confident

A wave of high-profile cyberattacks in recent months has affected hundreds of healthcare organizations across the globe and highlighted the need for practice leaders to remain vigilant regarding their information technology (IT) security.

After the “WannaCry” ransomware attack – which spread across 150 countries in May, with computers being compromised and data held hostage in return for money –  a new round of attacks associated with a different variant of ransomware was reported to have affected a prominent provider of EHR speech recognition services and numerous other organizations, including pharmaceutical giant Merck & Co. and Heritage Valley Health System in Pennsylvania.

Amid these headlines, a July 11 MGMA Stat poll found that only 55 percent of respondents said they feel their organization’s information technology (IT) infrastructure is secure against attacks. Another 15 percent reported their organization is working on it and 15 percent said they felt their IT infrastructure is not secure. A further 15 percent indicated they were unsure of their organizations security level. 

Almost one-third (30 percent) of respondents said their organization has faced some form of cyberattack, while 54 percent reported they had not been attacked and 12 percent said they were unsure.

MGMA Stat respondents shared their experience of facing a ransomware or other type of cyberattack at their practice. “We survived a ransomware attack and didn’t have to pay – used our backup tapes and were fine,” reported one respondent. “I feel safe, but I also know we are all vulnerable.” Another respondent noted that their practice’s IT team isolated a ransomware attack and restored systems from a backup, with the practice “up and running in six hours.”

Beyond the recent spate of ransomware attacks, respondents noted that their practices face a broader slate of digital threats. Phishing attempts, Trojan horse emails and providers’ personal devices being compromised were among the other types of cyberattacks reported by respondents to the July 11 poll. 

Beyond the severe harm that can be caused by a cyberattack in the form of data loss and the risk of protected health information (PHI) being breached, medical practices also can suffer a hit to their reputation in their respective communities if patients lose trust in the security of their data.

After the “WannaCry” global ransomware attack in May, MGMA teamed up with the American Medical Association, American Hospital Association and other industry stakeholders in a Department of Health and Human Services initiative to combat the cyberattacks. 

MGMA Government Affairs recommends that practice leaders take active steps to protect their practices against cyberattack, including conducting a HIPAA security risk assessment, updating operating systems and antivirus software, encrypting systems and files containing patient information and frequently training staff on malware protection protocols, including not opening files or links from unfamiliar sources. Practices using older versions of Windows operating systems should be especially vigilant.

Learn more

• Visit MGMA's HIPAA page for more information on security and risk, including MGMA’s Cybersecurity Action Steps for Medical Practices (MGMA member access) and HIPAA Security Risk Analysis Toolkit (member access). 
• Robert Tennant, MA, director, health information technology policy, MGMA Government Affairs, will lead a webinar July 27, “Protect Yourself Against Cyberattack: An Action Plan for Medical Groups.”
• The September 2017 MGMA Connection magazine will include more information on digital security issues that medical practice leaders should consider.
• Attendees of the MGMA 2017 Annual Conference in Anaheim, Calif., can learn more about protecting protected health information from hackers during a live hacking demo session Oct. 9 led by Troy Tribe, senior vice president, HIPAA services, Security Metrics, Orem, Utah. Additionally, Kathryn Wickenhauser, MBA, CHTS, regulatory compliance advisor, DataFile Technologies, Kansas City, Mo., will lead a session Oct. 10 on identifying and reporting HIPAA incidents.

Want to receive timely industry data like this every week? MGMA Stat is a simple way to get real-time healthcare data all through text message.

Join Stat