Even as providers work to update their security environments, hospital data continues to be at serious risk, according to the 2010 HIMSS Analytics Report: Security of Patient Data.
Despite new statutory requirements for healthcare privacy and security, the study found critical gaps in data security – and its findings suggested that efforts to keep data safe were often more reactive than proactive, with hospitals dedicating more resources to breach response than to breach prevention.
The report, based on a biannual survey of 250 healthcare professionals nationwide, was commissioned by Kroll Fraud Solutions, a leading provider of data protection and identity theft response services, in partnership with HIMSS Analytics, a wholly-owned, not-for-profit subsidiary of the Healthcare Information and Management Systems Society (HIMSS).
"The results of the latest study are bittersweet to say the least," said Brian Lapidus, Kroll's chief operating officer. "On one hand, healthcare organizations are demonstrating increased awareness of the state of patient data security as a result of heightened regulatory activity and increased compliance. On the other, organizations are so afraid of being labeled ‘noncompliant’ that they overlook the bigger elephant in the room, the still-present risk and escalating costs associated with a data breach. We need to shift the industry focus from a ‘check the box’ mentality around compliance to a more comprehensive, sustained look at data security.”
When the last HIMSS Analytics report on the security of patient data was released in April 2008, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) was the primary regulatory requirement for hospitals. At that time, the study suggested that HIPAA’s focus on medical privacy fostered a significant lack of awareness among healthcare providers around the frequency, cause and seriousness of patient identity theft. The same is true in 2010, according the new report.
"We’d still like to see increasing maturity of data security function – from a checklist compliance approach to an organization-wide risk management approach," said Lisa Gallagher, senior director of privacy and security for HIMSS. "We’d like to see recognition of security risk as a business risk and have the function appropriately supported and resourced by executive management. The healthcare environment is only going to become more complex over time with the emphasis on health information exchange and new technology approaches such as cloud computing."
Professor Carl. A Gunter is beginning research on technology that would do what Gallagher has in mind.
"It is essential for patients and healthcare providers to have confidence in the information technologies on which modern healthcare is becoming increasingly reliant," said Gunter of the Department of Computer Science and the Information Trust Institute at the University of Illinois at Urbana-Champaign. Gunter is poised to lead a new research team to create technology that will make electronic health record systems and health data exchange secure enough to gain the confidence of doctors and patients. The project will be funded with the recently announced government award of $15 million through SHARP (Strategic Health IT Advanced Research Projects).
The 2010 HIMSS Analytics Report did note significant differences between security policies and procedures according to hospital type. For instance, critical access facilities lagged behind general medical/surgical facilities and academic medical centers in several key areas, including monitoring electronic patient health information access and sharing (74 percent of respondents from critical access hospitals said their organization has such policies in place, as compared with 100 percent of academic medical center respondents and 95 percent of general medicine/surgical); and auditing processes for sharing patient data with outside entities (61 percent of critical access hospitals reported conducting regular audits, compared with 90 percent of academic medical centers and 80 percent of general medicine/surgical hospitals).
Among the key findings of the report are:
- Despite new regulatory activity, including the implementation of Red Flags Rule and HITECH Act, and increased compliance among healthcare providers, the reporting of healthcare breaches is on the rise.
- The majority of survey participants indicated that they were compliant with existing laws and regulations.
- Average responses were above a 6.0 (on a scale of 1-7, with 7 being the highest level of compliance) for almost all laws and regulations, including CMS Regulations, HIPAA, State Security Laws and Red Flags Rule. Only HITECH scored lower (5.75), most likely due to the fact that HITECH was still not fully implemented at the time of the survey.
- The number of healthcare organizations that reported a breach increased by six percent in 2010 to 19 percent of total respondents – up from 13 percent in 2008.
- When asked to rate their level of "preparedness" for a future security breach, respondents from organizations having experienced a breach cited a preparedness level of 6.06 (on a scale of 1-7, with 7 being most prepared).
- Healthcare organizations continue to underestimate the high costs of a data breach, despite the fact that penalties for HITECH violations can reach as high as $1.5 million dollars.
- Patient satisfaction was most frequently cited as the primary impact of a data breach on their organization (38 percent), while only 15 percent cited the financial costs – down from 18 percent in 2008.
- Healthcare organizations continue to think of data security in specific silos (IT, employees, etc.) and not as an organization-wide responsibility, which creates unwanted gaps in policies and procedures.
- Eighty-seven percent of respondents indicated that they have policies in place to monitor access and sharing of electronic health information, yet research shows that 84 percent of healthcare breaches since 2003 were due to "low tech" incidents such as lost or stolen laptops, improper disposal of documents, stolen backup tapes, etc.
- Sixty percent of respondents said they required third party vendors to provide proof of employee training and only half indicated that they required third party vendors to provide proof of employee background checks. As organizations prepare for the broader sharing of electronic health records across massive networks of providers, payers, state and federal repository systems, third party involvement is only expected to increase in the coming years.
