Smaller Medical Practices Increasingly Targeted In Cyber-Attacks & Facing Potential Liability

According to a study by AMA & Accenture, 83% of physicians claim to have experienced some variety of cyber-attack. Although the majority of these did not result in breaches of data, an estimated 5.6 million patients could have potentially had their personal data accessed. Cybercriminals may be searching for data including patient names, contact information, social security and credit card information.

Smaller medical practices often mistakenly assume that they would not be the targets of hackers. In reality, they are often the most vulnerable and must make the effort to securely protect from intrusions. “Cyber-liability” insurance coverage is becoming more common as a result of these threats.

Vulnerability of Smaller Practices

Christine Marciano, president of Cyber Data Risk Managers, says that cybercriminals may be specifically targeting smaller medical practices. These practices are less likely to have adequate security measures in place. Some hackers reportedly were testing and refining their methods of attack on smaller practices prior to then moving on to larger targets such as healthcare systems.

Mobile Devices

Skycure, a network security organization, estimates that 14% of physicians maintain potentially sensitive patient data on their mobile phones that are not protected by a password. Approximately 60% of physicians reported transmitting patient data via text message at some point. Nokia says that the presence of malware on mobile devices rose by nearly 600% since 2016. These intrusions result in potential violations of HIPAA and the likelihood of civil liability.

Medical Devices

As medical technology has evolved there are more “implantable wireless medical devices” that could be accessed by hackers. In 2016, hospital electronic medical record systems were attacked much more frequently. Zach Rothstein of the Advanced Medical Technology Association explained that awareness about the cyber intrusions has risen and led to much greater security efforts.

Digital Currency

Lee Kim, JD, the director of privacy and security for the Healthcare Information & Management Systems Society, says many cyber-attacks are efforts to gather digital currency. These individuals may be mining for “pseudo currencies” such as Bitcoin. He explained that smaller medical practices are often unaware that there has been an intrusion. One basic sign of a possible breach is when computer systems are operating much more slowly.

Types of Attacks

Data from Protenus in 2017 reported that the types of breaches occurred as follows:

• 37% resulted from hacking
• 37% involved “insiders”
• 16% involved theft or losses of data
• 10% remained undetermined

Practitioners must be aware of the vulnerabilities of sending or receiving data via public networks or to cloud storage locations that are not secured. Mobile devices should have two-step verification for access and security measures should be compliant with current HIPAA standards.

Importance of Coverage

With the potential for liability associated with breaches, medical providers of all sizes are reportedly adding types of insurance coverage associated with cyber-liability. The Doctors Company, a large medical liability insurance provider, has begun including $50,000 of this type of coverage within their basic policies. 

After surveying 270 brokers and 125 underwriters in the insurance industry, it was determined that medical providers were the leading businesses that were purchasing cyber-liability type policies. The policies typically are constructed to cover claims stemming from theft, loss, or unintended transmission of sensitive medical data, financial information, and patient-specific material.