April 12, 2012 – Nearly 16 years after the enactment of the Health Insurance Portability and Accountability Act (HIPAA) – the first of many regulations and guidelines governing data security in the healthcare industry – a new report suggests that an increased focus on compliance has not resulted in increased security. The 2012 HIMSS Analytics Report: Security of Patient Data, the third installment of Kroll’s bi-annual survey of healthcare providers nationwide, shows a steady rise in data breaches over the last six years, despite increasingly stringent regulatory activity surrounding reporting and auditing procedures and heightened levels of compliance. The report, which surveys healthcare organizations nationwide, was commissioned by the information security practice of Kroll Advisory Solutions. The report was previously issued by Kroll Fraud Solutions.
In the 2012 report, respondents indicated that they were more prepared than ever to confront the data security risks, giving themselves a 6.40 rating on a scale of one to seven (with with 1 being “not at all prepared” and seven being “extremely prepared”), as compared to 6.06 in 2010 and 5.88 in 2008. In addition, 96 percent of respondents reported conducting a formal risk analysis at their organization in the past 12 months. Yet the fact that a growing 27 percent of respondents reported a security breach during that same time period (up from 19 percent in 2010 and 13 percent in 2008) — of which 69 percent experienced more than one – indicates that increased preparedness is not synonymous with increased security.
“When it comes to long-term prevention of data security incidents, it appears that the healthcare industry is not taking its own medicine,” said Brian Lapidus, senior vice president for Kroll Advisory Solutions. “There’s no question that HIPAA, HITECH and Red Flags have raised the base standard for protecting patient data, but combating the industry’s biggest security threats requires the essential combination of compliance and sound security measures. It’s like nutrition and exercise as the dynamic duo of weight loss. The magic happens when the two overlap.”
The 2012 report signals some of the most significant data security threats facing the healthcare industry today:
• Human error remains the greatest threat to healthcare data security.
• In 2012, 79 percent of respondents reported that a security breach was perpetrated by an employee.
• Fifty-six (56) percent of respondents indicated that the source of a reported breach was unauthorized access to information by an individual employed by the organization at the time of the breach.
• Forty-five (45) percent of respondents indicated that lack of staff attention to policy puts data at risk —an increase of 14 percent from 2010.
• The mobility of patient data made possible by new technologies and the proliferation of mobile devices in the workplace is a leading factor in healthcare data breaches.
• Thirty-one (31) percent of respondents indicated that information available on a portable device was among the factors most likely to cause a breach (up from 20 percent in 2010 and four percent in 2008).
• The industry’s expectations of third party data security practices are not keeping pace with the increased outsourcing of patient data; third party breaches are on the rise.
• Eighteen (18) percent of respondents that experienced a breach in the past 12 months cited third parties as the root cause.
• Twenty-eight (28) percent of respondents indicated that “sharing information with external parties” is the top item that put patient data at risk (up from 18 percent in 2010 and 6 percent in 2008).
• Half of respondents noted that they required proof of employee training from third parties.
• A little more than half (56) percent indicated they require proof of employee background checks.
• Approximately half (56 percent) of respondents indicated they verify that their third party vendors conduct a periodic risk analysis to identify security risks and vulnerabilities.
“There are numerous reports of security breaches that have taken place as a result of the actions taken by business associates handling identifiable health information”, said Lisa Gallagher, senior director of privacy and security for the Healthcare Information and Management Systems Society (HIMSS). “Healthcare organizations need to ensure that their business associates are taking every precaution to safeguard this information. We know that most security breaches often are the result of actions taken by employees, so background checks, employee training and continued monitoring of policies and procedures are steps all covered entities should ensure are taken by their business associates.”
Another surprising outcome of the 2012 report is that, despite increased regulatory oversight, there continues to be a lack of clarity around who is responsible for data security. When asked which individual within their organization was responsible for the security of patient data, the answers ranged dramatically:
HIM Director – 21 percent
CIO – 19 percent
Chief Privacy Officer, Chief Compliance Officer, CEO – 12 percent for each title
Chief Security Officer – 10 percent
While responses for many titles have remained consistent from year to year, those respondents naming Chief Security Officers – once considered the “owner” of data security – dropped dramatically from 2010 (14 percent) and 2008 (22 percent), illustrating how responsibility is continuing to be spread across other titles throughout the industry.
“With the understanding that everyone from cafeteria workers to surgeons will come into contact with patient data and that they will do so in even more ways – from work computers, through paper records, via mobile devices and more –it becomes clear that evolving threats will always outpace even the most thorough regulatory requirements,” said Lapidus. “For that reason, organizations will need to constantly assess their security risk levels and evolve their policies and procedures to ensure that they are in the best possible position to protect their patients and their bottom lines.”
Survey Methodology: A total of 250 healthcare industry professionals participated in this research, conducted in December 2011. They included Health Information Management directors/managers (38 percent), compliance officers (24 percent), senior information technology (IT) executives (21 percent), privacy officers (five percent), chief security officers (two percent) and others associated with information management (10 percent). Most respondents were from small to mid-sized healthcare facilities, and only one respondent per organization was invited to participate in this survey.
For a copy of the 2012 HIMSS Analytics Report: Security of Patient Data and for more information on best practices in healthcare data security, visit: www.krolladvisorysolutions.com.