As the healthcare industry prepares for a major shift to electronic health records (EHRs) over the next several years, a new bi-annual report provides data that shows that providers are still having difficulty adequately securing patient data in a rapidly changing landscape.
The 2010 HIMSS Analytics Report: Security of Patient Data indicates that healthcare organizations are actively taking steps to ensure that patient data is secure. However, these efforts appear to be more reactive than proactive, as hospitals dedicate more resources toward breach response vs. breach prevention through risk management activities.
The report, which surveys healthcare organizations nationwide, was commissioned by Kroll Fraud Solutions, a leading provider of data protection and identity theft response services.
"The results of the latest study are bittersweet to say the least," said Brian Lapidus, chief operating officer for Kroll Fraud Solutions. "On one hand, healthcare organizations are demonstrating increased awareness of the state of patient data security as a result of heightened regulatory activity and increased compliance. On the other, organizations are so afraid of being labeled 'noncompliant' that they overlook the bigger elephant in the room, the still-present risk and escalating costs associated with a data breach. We need to shift the industry focus from a 'check the box' mentality around compliance to a more comprehensive, sustained look at data security."
When the 2008 HIMSS Analytics Report: Security of Patient Data was released in April 2008, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) was the primary regulatory requirement dominating the healthcare space. At the time, the study suggested that HIPAA's focus on medical privacy fostered a significant lack of awareness among healthcare providers around the frequency, cause and seriousness of patient identity theft. According to the latest study, the same is true in 2010, despite the flurry of regulatory activity around patient data security over the past two years and the severe financial penalties these laws impose.
Key report findings include:
- Despite new regulatory activity, including the implementation of Red Flags Rule and HITECH Act, and increased compliance among healthcare providers, the reporting of healthcare breaches is on the rise.
- The majority of survey participants indicated that they were compliant with existing laws and regulations.
- Average responses were above a 6.0 (on a scale of 1-7, with 7 being the highest level of compliance) for almost all laws and regulations, including CMS Regulations, HIPAA, State Security Laws and Red Flags Rule. Only HITECH scored lower (5.75), most likely due to the fact that HITECH was still not fully implemented at the time of the survey.
- The number of healthcare organizations that reported a breach increased by six percent in 2010 to 19 percent of total respondents -- up from 13 percent in 2008.
- When asked to rate their level of "preparedness" for a future security breach, respondents from organizations having experienced a breach cited a preparedness level of 6.06 (on a scale of 1-7, with 7 being most prepared).
- Healthcare organizations continue to underestimate the high costs of a data breach, despite the fact that penalties for HITECH violations can reach as high as $1.5 million dollars.
- 87 percent of respondents indicated that they have policies in place to monitor access and sharing of electronic health information, yet research shows that 84 percent of healthcare breaches since 2003 were due to "low tech" incidents such as lost or stolen laptops, improper disposal of documents, stolen backup tapes, etc.
- 60 percent of respondents said they required third party vendors to provide proof of employee training and only half indicated that they required third party vendors to provide proof of employee background checks. As organizations prepare for the broader sharing of electronic health records across massive networks of providers, payors, state and federal repository systems, third party involvement is only expected to increase in the coming years.
"We'd still like to see increasing maturity of data security function -- from a checklist compliance approach to an organization-wide risk management approach," said Lisa Gallagher, senior director of privacy and security for HIMSS. "We'd like to see recognition of security risk as a business risk and have the function appropriately supported and resourced by executive management. The healthcare environment is only going to become more complex over time with the emphasis on health information exchange and new technology approaches such as cloud computing."