A majority of physicians in the United States have experienced a cybersecurity incident, and many are very concerned about the potential impact of a cyberattack, according to a study conducted by professional services company Accenture and the American Medical Association (AMA).
A survey of 1,300 doctors revealed that 83% of clinical practices experienced some type of cybersecurity incident. The most common is phishing (55%), followed by malware infections (48%), improper access to electronic protected health information, or ePHI (37%), network breaches (12%), and ransomware and other attacks involving ransom demands (9%).
More than half of respondents said they were either very concerned or extremely concerned about future cyberattacks, particularly that they may result in interruption to their business or electronic health records (EHR) getting compromised. Physicians are also worried about patient safety (53%), civil or criminal liability (36%), damage to reputation (34%), costs associated with incident response (32%), impact on revenue (30%), fines (25%), and medical device security (19%).
When asked about the impact of past cybersecurity incidents on their business, 64% of respondents said it had caused downtime of four hours or less, but in 12% of cases normal operations were suspended for 1-2 days, and in 4% of cases for more than two days.
In response to incidents, the most common actions were notification of the internal IT team (65%), notification or education of employees (61%), implementation of new policies and procedures (59%), and notification of the EHR or health IT vendor (56%).
While doctors are concerned about the security risks associated with the use of electronic systems, they also noted that the ability to share data with outside entities is in most cases very important.
The study also shows that physicians often trust third parties to keep their ePHI data secure. In many cases, they either get assurance from the vendor or simply trust that their data is being protected. Many also sign contracts or rely on their privacy officer to ensure that sensitive information is stored securely.
Nearly half of organizations have an in-house person responsible for cybersecurity and 17% said they are interested in appointing someone to such a position. Others either outsource security management (26%), or share security management with another practice (23%). Some physicians said they received donated cybersecurity software or hardware.
When it comes to security training, half of respondents named tips for good cyber hygiene as the factor that would boost their confidence in their security posture. Others named simplifying the legal language of HIPAA (47%), easily digestible summary of HIPAA (44%), explaining the more complex rules described by HIPAA (40%), and guidance on conducting risk assessments (38%).
Related: Organizations Failing to Upgrade Systems, Enforce Patches
Related: Healthcare’s Unique Cyber Risk Management Challenges

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- ChatGPT Hallucinations Can Be Exploited to Distribute Malicious Code Packages
- AntChain, Intel Create New Privacy-Preserving Computing Platform for AI Training
- Several Major Organizations Confirm Being Impacted by MOVEit Attack
- Verizon 2023 DBIR: Human Error Involved in Many Breaches, Ransomware Cost Surges
- Google Patches Third Chrome Zero-Day of 2023
- Ransomware Group Used MOVEit Exploit to Steal Data From Dozens of Organizations
- Cybersecurity M&A Roundup: 36 Deals Announced in May 2023
- In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack
Latest News
- Stay Focused on What’s Important
- VMware Plugs Critical Flaws in Network Monitoring Product
- Hackers Issue ‘Ultimatum’ Over Payroll Data Breach
- US, Israel Provide Guidance on Securing Remote Access Software
- OWASP’s 2023 API Security Top 10 Refines View of API Risks
- Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability
- ChatGPT Hallucinations Can Be Exploited to Distribute Malicious Code Packages
- Blumira Raises $15 Million for SMB-Tailored XDR Platform
