Securing Health Care Records: Jury Is Out on Industry Competence

By Chris Preimesberger

Although hackers make up one of the top five threats listed by survey responders in health care, they don’t top the chart as some might think. When it comes to the biggest threat that organizations face, according to survey responders, 28 percent agreed that No. 1 is their own business associates taking inadequate security precautions for protected health information (PHI). Human error and simple negligence can lead to huge threats to both an organization and its customers, especially in health care.

The U.S. Department of Health and Human Services (HHS) has identified the need for improved interoperability of electronic health records systems as a key to easing national exchange of health information in order to improve treatment. However, while about half of the respondents said interoperability is important, they also said it should not be a top priority for regulators, because there are other more urgent issues. The top five information security priorities are 1) improving regulatory compliance; 2) improving security awareness and training; 3) preventing and detecting breaches; 4) updating business continuity/disaster recovery plans; and 5) monitoring HIPAA compliance of business associates.

The growing use of mobile devices, including those that come under bring-your-own-device (BYOD) policies), is cited as the second-largest security threat organizations face. In fact, lost and stolen unencrypted devices have consistently been culprits in HIPAA breaches reported to HHS. Keeping data off mobile devices through the use of proper security technology is the best way to avoid having a device and its content fall into the wrong hands.

When it comes to accessing electronic health records, usernames and passwords are still by far the dominant method of authentication employed for on-site users; this is followed by the use of tap-and-go badges. The same is true when remote users access data while on the job at an organization’s offsite facilities. When providing clinicians with remote access to systems, nearly half of organizations polled use a VPN. Forty-five percent encrypt all data accessed remotely, and nearly one-third require the use of multi-factor authentication.

HHS has emphasized the need to perform thorough and timely security risk assessments as a key compliance requirement in HIPAA. Three quarters of the survey respondents said their organizations conducted a security risk assessment in 2014. Given that this number is the same as last year’s, there is still room for improvement. By far, the most common result of those risk assessments is that organizations revise or update their security policies. Nearly half of respondents say they’ve implemented new security technologies or revamped security education programs in response to risk-assessment findings.

While the use of cloud computing has grown in many industries, when it comes to health care, only 64 percent of respondents said their organizations use it, which is not surprising, considering the increased fear of having important information stored in the cloud. In fact, of the 64 percent using cloud services, only about one-third are confident in their vendor’s security and policy procedures.

Having a security strategy in place is extremely important when it comes to PHI and ensuring privacy. The National Institute of Standards and Technology framework is used by more than half of organizations as the basis of their information security programs, followed by hybrid models and the HITRUST (Health Information Trust Alliance) Common Security Framework. Findings from the survey show that nearly 60 percent of organizations do, in fact, have a documented security strategy.

Securing PHI is not all about the technology and policies in place. A benefit to companies is having talented staff in place. Two-thirds of organizations reported having a full-time chief information security officer (CISO) or equivalent role to oversee information security. As for organizations looking to hire in 2015, knowledge of privacy and security issues in health care is the most sought-after expertise, followed by risk assessment and security audit skills.

The survey results do prove a failure among health-care organizations to implement some basic safeguards called for in the HIPAA Privacy Rule. More advanced information security technologies and practices should be in place to bring more robust protection. However, the industry continues to become more aware of the importance of all the elements needed to keep PHI safe and out of the wrong hands.