Healthcare industry overlooks critical gaps in data security
As the healthcare industry prepares for a major shift to electronic health records (EHRs) over the next several years, a new bi-annual report provides data that shows that providers are still having difficulty adequately securing patient data in a rapidly changing landscape.
The 2010 HIMSS Analytics Report: Security of Patient Data indicates that healthcare organizations are actively taking steps to ensure that patient data is secure. However, these efforts appear to be more reactive than proactive, as hospitals dedicate more resources toward breach response vs. breach prevention through risk management activities.
“The results of the latest study are bittersweet to say the least,” said Brian Lapidus, chief operating officer for Kroll Fraud Solutions. “On one hand, healthcare organizations are demonstrating increased awareness of the state of patient data security as a result of heightened regulatory activity and increased compliance. On the other, organizations are so afraid of being labeled “noncompliant’ that they overlook the bigger elephant in the room, the still-present risk and escalating costs associated with a data breach. We need to shift the industry focus from a “check the box’ mentality around compliance to a more comprehensive, sustained look at data security.”
Key report findings include:
- Despite new regulatory activity, including the implementation of Red Flags Rule and HITECH Act, and increased compliance among healthcare providers, the reporting of healthcare breaches is on the rise.
- Healthcare organizations continue to underestimate the high costs of a data breach, despite the fact that penalties for HITECH violations can reach as high as $1.5 million dollars.
- Healthcare organizations continue to think of data security in specific silos (IT, employees, etc.) and not as an organization-wide responsibility, which creates unwanted gaps in policies and procedures.
Survey Methodology: A total of 250 healthcare industry professionals participated in this research conducted in December 2009. They included Health Information Management (HIM) managers (45 percent), senior information technology (IT) executives (25 percent), compliance and privacy officers (25 percent), chief security officers (4 percent) and others associated with information management (1 percent). Most respondents were from small to mid-sized healthcare facilities.