Cybersecurity in Medical Private Practice: Results of a Survey in Audiology

Abstract

Despite well-documented cyber threats to patients' protected health information (PHI), sparse evidence exists about the state of cybersecurity behavior of health care workers and medical private practices. There is evidence of insecure behavior in hospital settings, even though specific insights about private practice are still absent. In addition to mandatory standards for securing PHI, such as the Health Insurance Portability & Accountability Act (HIPAA), small business viability and their patients' security and privacy are critically dependent upon technology availability and reliability. In this survey of 131 clinical audiologists we show that many lack time, staff expertise, or funds to deploy adequate cybersecurity that prevents and mitigates threats to security and privacy. We find widespread deployment of HIPAA-compliant cybersecurity, including antivirus software and individual logins. Only 9.9% of participants reported at least one data breach in 2019, significantly less than the average for small businesses and health care providers, and only 24.4% reported having cyber insurance. Practice owners view patient data as well protected and unlikely victims for cyber attacks and breaches. These results have important implications for cybersecurity products and services, and to medical professionals who must acknowledge the acute importance of cybersecurity in securing protected health information and mitigating risks. Small business private practice health care providers who are particularly sensitive to the impacts of cyber attacks and must prioritize and adopt countermeasures that decrease the risks to patients and their own businesses.