Patient Data Security Demands Strong Compliance, Proactive Policies: Report
Although health care organizations deal with many types of government and professional regulations, as adoption of electronic health records (EHRs) progresses, they also need to form policies of their own to secure patient data, according to an April 11 report from HIMSS Analytics and Kroll Advisory Solutions, a provider of IT security.
HIMSS Analytics performs analysis of IT processes in health care and is a division of the nonprofit Healthcare Information and Management Systems Society (HIMSS).
For the study, HIMSS interviewed 250 health care industry professionals, including senior IT executives as well as compliance and security officers. Kroll provided funding and expertise for the research, which was performed in December 2011.
Health care organizations have turned to government guidelines on security, but they need their own security measures as well, Brian Lapidus, senior vice president for Kroll, said in a statement.
These government security guidelines include the 1996 Health Insurance Portability and Accountability Act (HIPAA) and the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act, which made penalties for data breaches more severe.
Lapidus said the combination of compliance and proper security measures is beneficial in the same way as nutrition and exercise. "The magic happens when the two overlap," said Lapidus.
"Evolving threats will always outpace even the most thorough regulatory requirements," said Lapidus. "For that reason, organizations will need to constantly assess their security risk levels and evolve their policies and procedures to ensure that they are in the best possible position to protect their patients and their bottom lines."
The HIMSS report follows news of a Medicaid data breach at the Utah Department of Technology Services (DTS). The March 30 incident involved potential exposure of data for about 780,000 citizens when a hacker in Eastern Europe broke into a server at DTS.
"The Utah data breach is an example of human error because, as reported, the server did not have a secure password," Lisa Gallagher, senior director of privacy and security for HIMSS, wrote in an email to eWEEK. "Any server or other data warehouse with patient health information must be securely protected."
Meanwhile, 31 percent of respondents in the HIMSS/Kroll study considered mobile devices to be a top threat for health care data breaches.
"The expanded use of mobile devices offers new operational efficiencies and increased vulnerabilities," said Gallagher. "Security steps for mobile devices should be included in the action plans so that guidelines are set."
A large number of health care breaches reported to the U.S. Department of Health and Human Services were also due to portable devices, Gallagher noted.
Human error by employees was a major factor in health breaches, according to respondents.
Of the respondents, 79 percent said security breaches were initiated by an employee, and 56 percent said breaches occurred because employees had unauthorized access to information.
"Human error in health care delivery has impactful consequences when it comes to security," said Gallagher. "Training employees on security measures and implementing the proper security protocols are basic steps to take, but also, are often overlooked."
Despite the policies that need to be implemented, 85 percent of respondents say their health care organizations update their security action plan regularly. Methods to secure patient data include hiring practices, background checks and minimizing data access, said Gallagher.
Even as data breaches caused by insiders were considered a major threat by respondents, sharing data with third parties was a concern for 28 percent of participants.
"With the rise of EHRs, more health care providers are entrusting their patient data to third parties, meaning that the scope of patient data security extends far beyond the walls of their own hospital," the report stated.
Of the respondents, 98 percent require outside vendors to sign business associate agreements required under HIPAA when handling patients' personally identifiable information. Still, more steps are needed to hold third parties accountable for security practices, Gallagher suggested. One step could be requesting proof of employee security training, she said.
In addition, HIMSS was surprised to find that only a quarter of respondents were concerned about the financial implications of breaches. The cost of health care breaches is usually higher than those in the financial and retail industries, HIMSS reported.