In the 2012 report, respondents indicated that they were more prepared than ever to confront the data security risks, giving themselves a 6.40 rating on a scale of one to seven (with with 1 being “not at all prepared” and seven being “extremely prepared”), as compared to 6.06 in 2010 and 5.88 in 2008. In addition, 96 percent of respondents reported conducting a formal risk analysis at their organization in the past 12 months. Yet the fact that a growing 27 percent of respondents reported a security breach during that same time period (up from 19 percent in 2010 and 13 percent in 2008) -- of which 69 percent experienced more than one -- indicates that increased preparedness is not synonymous with increased security.
“When it comes to long-term prevention of data security incidents, it appears that the healthcare industry is not taking its own medicine,” said Brian Lapidus, senior vice president for Kroll Advisory Solutions. “There’s no question that HIPAA, HITECH and Red Flags have raised the base standard for protecting patient data, but combating the industry’s biggest security threats requires the essential combination of compliance and sound security measures. It’s like nutrition and exercise as the dynamic duo of weight loss. The magic happens when the two overlap.”
The 2012 report signals some of the most significant data security threats facing the healthcare industry today:
Human error remains the greatest threat to healthcare data security.
The mobility of patient data made possible by new technologies and the proliferation of mobile devices in the workplace is a leading factor in healthcare data security breaches.
"There are numerous reports of security breaches that have taken place as a result of the actions taken by business associates handling identifiable health information,” said Lisa Gallagher, senior director of privacy and security for the Healthcare Information and Management Systems Society (HIMSS). "Healthcare organizations need to ensure that their business associates are taking every precaution to safeguard this information. We know that most security breaches often are the result of actions taken by employees, so background checks, employee training and continued monitoring of policies and procedures are steps all covered entities should ensure are taken by their business associates.”
Another surprising outcome of the 2012 report is that, despite increased regulatory oversight, there continues to be a lack of clarity around who is responsible for data security. When asked which individual within their organization was responsible for the security of patient data, the answers ranged dramatically:
While responses for many titles have remained consistent from year to year, those respondents naming Chief Security Officers – once considered the “owner” of data security – dropped dramatically from 2010 (14 percent) and 2008 (22 percent), illustrating how responsibility is continuing to be spread across other titles throughout the industry.
“With the understanding that everyone from cafeteria workers to surgeons will come into contact with patient data and that they will do so in even more ways – from work computers, through paper records, via mobile devices and more – it becomes clear that evolving threats will always outpace even the most thorough regulatory requirements,” said Lapidus. “For that reason, organizations will need to constantly assess their security risk levels and evolve their policies and procedures to ensure that they are in the best possible position to protect their patients and their bottom lines.”
Survey Methodology: A total of 250 healthcare industry professionals participated in this research, conducted in December 2011. They included Health Information Management directors/managers (38 percent), compliance officers (24 percent), senior information technology (IT) executives (21 percent), privacy officers (five percent), chief security officers (two percent) and others associated with information management (10 percent). Most respondents were from small to mid-sized healthcare facilities, and only one respondent per organization was invited to participate in this survey.
Please visit the information security practice of Kroll Advisory Solutions website for a copy of the 2012 HIMSS Analytics Report: Security of Patient Data and for more information on best practices in healthcare data security.
About Kroll Advisory Solutions
Kroll Advisory Solutions, the global leader in risk mitigation and response, delivers a wide range of solutions that span investigations, due diligence, compliance, cyber security and physical security. Clients partner with Kroll Advisory Solutions for the highest-value intelligence and insight to drive the most confident decisions about protecting their companies, assets and people.
Kroll Advisory Solutions is recognized for its expertise, with 40 years of experience meeting the demands of dynamic businesses and their environments around the world. Headquartered in New York with offices in 29 cities across 17 countries, Kroll Advisory Solutions has a multidisciplinary team of 700 employees. For more information, visit: http://www.krolladvisorysolutions.com.
About HIMSS Analytics
HIMSS Analytics is a wholly owned not-for-profit subsidiary of the Healthcare Information and Management Systems Society. The company collects and analyzes healthcare data related to IT processes and environments, products, IS department composition and costs, IS department management metrics, healthcare trends and purchase-related decisions. HIMSS Analytics delivers high quality data and analytical expertise to healthcare delivery organizations, healthcare IT companies, state governments, financial companies, pharmaceutical companies, and consulting firms. Visit http://www.himssanalytics.org for more information.