10 Trends in Cybersecurity Behavior Across Audiology Private Practice: How Do You Compare?



Author: Josiah Dykstra, Ph.D., Rohan Mathur, B.A., and Alicia D.D. Spoor, Au.D.

One year ago, an article in Audiology Practices on cybersecurity offered a short checklist for audiologists to self-assess how they were implementing protections in their businesses to safeguard protected health information (PHI)1. The article also included three recommended actions to help protect audiology practices: business policies, software updates, and security training. Self-assessment is a valuable tool for individual business owners, but the next step is to understand trends across the profession.

During the summer of 2020, we conducted a survey of ADA members and private practice audiologists’ cybersecurity behavior. The 24-item questionnaire was intended to identify trends, gaps, and opportunities that – until now – did not appear in the research literature. We analyzed the responses from 131 participants across 37 states and found that cybersecurity behavior is mixed. Some key themes emerged that can help inform audiologists about positive trends and areas of increased need. The trends can also inform the tech community about how to better tailor products and services for the unique needs of audiology and other medical specialties. In December 2020, a scientific, peer-reviewed paper was published describing details of the findings from this survey.2

This article highlights 10 trends in cybersecurity behavior across audiology private practices as revealed by the survey results. Individually, they allow you to compare your own behavior with that of peers and invite you to celebrate success and remediate weakness. In sum they reveal the status quo which may also be measured over time and compared with other medical specialties.

  1. Number of computing devices varies significantly. The average number of devices used for work-related services varied significantly as evidenced by the standard deviations. Among respondents, the mean number of devices was 6 desktop computers, 2 laptop computers (SD=3), 0 tablets (SD=1), 6 wired telephones (SD=7), and 1 smartphone (SD=2).
  2. Average password exceeds minimum recommendations. Research shows that longer passwords are more secure. This survey asked “How many characters is your current work email password?” The average answer was 11 characters. The National Institute of Standards and Technology (NIST) recommends a minimum of 8 characters, and HIPAA has no prescribed compliance standard. This survey did not explore password reuse, such as having the same password for both email and social media; this would jeopardize strong email passwords. All users should consider using a password manager to support good password hygiene, such as LastPass or 1Password.
  3. Vast majority have HIPAA-compliant individual logins. The survey asked whether “Each employee uses their own unique login and password for computers in the office?” A total of 83% said yes (Figure 1). Individual accounts provide authentication and accountability which ensure authorized access to help protect PHI and other sensitive business data. While the survey only explored computer logins, individual logins are necessary for all software including hearing aid software and EHR.
  4. Compliance and security are much better for those who spend over $500 per year. Nearly half (46%) of respondents spent less than $500 on cybersecurity in 2019. Those who spent more than $500 showed higher adoption of cybersecurity in all areas measured, including items with low fixed cost such as an office password policy (Figure 2). Recurring costs may include antivirus subscriptions, cybersecurity awareness training, and annual HIPAA risk assessments. Spending should correlate with the number of providers and computers needing protection, but spending did not correlate to those variables. Practice owners should evaluate whether their security budget appropriately covers safeguards required for PHI and other assessed risks.
  5. Many practice owners perform security functions. When asked who are the people who perform security-related tasks, such as installing software updates, answers were the practice owner (63%), contracted technical support (50%), employees (27%), and others such as a spouse (12%). In small businesses, it is unsurprising that the owner fulfills many functions including IT. The greatest challenge in cybersecurity, even for those who are computer literate, is maintaining awareness about the steady stream of new threats and their mitigations. Not knowing about a threat is akin to accepting that risk.
  6. Most say “Not enough expertise” prevents better cybersecurity. Participants were asked “In your opinion, how would you rate your protection against data breaches and hacking?” and “If not Excellent, what limitations are preventing better protection? (Select all that apply)” The most common answer (80%) was not enough expertise, followed by money (24%), and time (22%). Considering how many owners perform some or all of their own cybersecurity, these limitations could have significant consequences and suggest an opportunity for cybersecurity education or outsourcing security tasks.
  7. Less than 1/3 have data encryption on all computers. Only 33% reported data encryption on all devices. While more and more data are stored in cloud-based EHR/EMR or file storage (such as Google Drive or Microsoft OneDrive), office computers should also have encryption enabled. According to HIPAA, encryption helps protect PHI as a technical safeguard and should be enabled unless you have a reasonable and appropriate equivalent alternative measure. For example, BitLocker is a built-in encryption feature that should be enabled on computers running Windows 10 Professional. Encryption is particularly important on laptops, tablets, and smartphones whose portability makes them susceptible to being lost or stolen.
  8. “Rosy” view of cybersecurity incidents, risk, and preparedness. Based on answers to the survey, audiologists appear to have an inaccurate perception of the risk and likelihood of cybersecurity incidents. Only 9.2% of respondents reported that they were the victim of a hack or data breach in 2019. Based on comparable data from both small business surveys3 and physician data4, the rate of incidents in audiology is likely much higher than observed. The survey also asked “What is the likelihood that your practice will be hacked or be the victim of a data breach in the next 12 months?” While 38% said they didn’t know, 55% said not at all likely or slightly likely. Unknown and unacknowledged incidents are a liability to the practice.
  9. Cyber insurance is uncommon. Similar to life or auto insurance, cyber insurance can be essential in helping cover the expenses related to a data breach, including business disruption, revenue loss, legal fees, and legally mandated notifications. Without insurance, these expenses could easily cost you $100,000 or more depending on the number of PHI records you have. Among practices who spent less than $500 on security in 2019, only 17% of respondents in the survey had cyber insurance. Those spending more than $500 indicated 39% with cyber insurance. Many insurers offer cyber policies or endorsements to package policies, so consider talking to your insurance provider about a quote for cyber insurance.
  10. Risk assessment is the most desired. Participants were asked to imagine that they had a dedicated $1,000 to spend on a cybersecurity project and select how they would spend it. The top response (44%) was a risk assessment, significantly more than the alternatives which included secure email, training, and backups. This is a reasonable response since it is a necessary prerequisite to determining necessary cybersecurity solutions, and HIPAA requires covered entities to “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities” to PHI. Risk assessments may be done yourself5 or with the help of a cybersecurity consultant, and should be reviewed at least annually.
    Figure 1. Responses across all participants as to whether or not their private practice implements various cybersecurity practices2


    Figure 2. Comparison of seven cybersecurity behaviors grouped by respondents spending more and less than $500 on security in 20192


    Self-reported studies including ours have specific limitations. We feel reasonably confident that the data are accurate given the strong anonymity provided and little fear of reprisal. This study was not intended to be representative of all audiologists or practice settings. Additional research is needed for validation and longitudinal studies could measure change in cybersecurity behavior over time. In a future study we would like to better understand why people make the decisions they do, such as audiologists’ mental models about security risks. In psychology, mental models are a cognitive structure constructed by individuals to represent how something works, and a person’s intuition about his or her actions and their consequences.

    The results of this survey illustrate that cybersecurity is an important and active part of business and patient care for many audiologists. The trends highlighted here are consistent with the struggles and constraints of both a small business and a medical business. As a result, private practice audiology businesses must remain diligent in pursuing the necessary adoption of security and privacy safeguards. We thank ADA and each participant for contributing to this research, and look forward to safe and successful hearing and balance healthcare.    
    Josiah Dykstra, Ph.D. is Founder and Cybersecurity Consultant at Designer Security, LLC which providers cyber services for audiologists. He has more than 16 years’ experience in cybersecurity research, practice, and education. Contact him at Josiah@DesignerSecurity.com.

    Rohan Mathur, B.A. is a recent graduate in Health Administration and Policy from the University of Maryland, Baltimore County. During the summer of 2020, he was an intern at Designer Security, LLC. Alicia D.D. Spoor, Au.D. is the Audiologist and President of Designer Audiology, LLC. She is currently Legislative Chair of the Maryland Academy of Audiology and a past President of ADA.
    References
    1 Dykstra, J., “Protecting Your Business with Cybersecurity in 2020 and Beyond,” Audiology Practices, vol. 12, no. 1, pp. 28-29, 2020, http://www.audiologypractices.org/protecting-your-business-with-cybersecurity-in-2020-and-beyond.

    2 Dykstra, J., Mathur, R., & Spoor, A. “Cybersecurity in Medical Private Practice: Results of a Survey in Audiology,” IEEE 6th International Conference on Collaboration and Internet Computing (CIC), 2020.

    3 Ponemon Institute, “The 2019 Global State of Cybersecurity in Small and Medium-Sized Businesses,” https://www.keeper.io/hubfs/PDF/2019%20Keeper%20Report%20V7.pdf.

    4 Burki, T., “The dangers of the digital age,” The Lancet Digital Health, vol. 1, no. 2, pp. E61–E62, June 2019.

    5 Health and Human Services, “Security Rule Guidance Material,” https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html