Healthcare is data security's poor relation. Despite some evidence of positive effort,data breaches are on the rise, and most healthcare organizations just don't quite get the importance of security, focusing too much on the form of regulatory compliance and too little on substance, according to a panel discussing the recently released 2012 HIMSS Analytics Report: Security of Patient Data.
The survey, conducted by Kroll Advisory Solutions on behalf of the Healthcare and Information Management Systems Society, suggests that security may be getting worse before it gets better. (Previous surveys were conducted in 2008 and 2010). That assessment tends to confirm the experience manifested recently in the wave of healthcare sector data breaches accidental and malicious, that we've witnessed in the past few weeks.
One of the remarkable disconnects is that the overwhelming percentage (98%) of large healthcare organizations conduct periodic risk analysis to identify security risks and vulnerabilities (the numbers for medium and small organizations were a little lower). However, the percentage of organizations reporting data breaches has risen steadily despite this apparent diligence. More than a quarter (27%) of the 25
healthcare organizations surveyed reported that they had experienced data breaches; 69% of those suffered multiple breaches. This compares with 19% in 2010 and just 13% in 2008. (The latest Symantec Internet Security Report, showing that healthcare was far and away the sector with the highest incidence of data breaches in 2011, reinforces these findings.)
The panel suggested that organizations may (a) be lulled literally into a false sense of security by performing the risk analysis as if the process itself made their organizations more secure and (b) that the risk analyses may tend to focus on gaps in the regulatory requirements, rather than the most significant security risks. The theme of "check box" compliance dominates the industry, they said, so the high incidence of data breaches is hardly surprising.
Another factor is that from a criminal's perspective, hospital's and other healthcare organizations are one-stop shopping for all sorts of data: patient and employee personally identifiable information (PII), medical records, personal financial information and credit card data.
And, increasingly and by design, that information is available in digital format. The HITECH Act pushes healthcare providers to convert to electronic health records (EHR) through a combination of incentive payments and the sword of penalties for those who are slow to comply. That makes sense in terms of business efficiency and, ultimately, patient care as medical information can be quickly and easily shared. But it also means that sensitive data is potentially in more places, with organizations that have different levels of security.
The information sprawl and responsibility for data is stretched further, as business associates are subject to HIPAA data security rules under HITECH. But that means that the business associate should report a data breach to the originating organization, which in turn must notify individuals and the U.S. Department of Health and Human Services. That means that healthcare organizations must be responsible not only within their own walls and among their own people, but their partners as well. The survey found that while 98% of the respondents required third parties to sign a Business Associate agreement,and 82% require breach notification, only 56% require risk analyses. The same number demand background checks of employees, and only 50% (down from 60% in 2010) ask for proof of employee security training.
This is all the important is that criminal activity notwithstanding, the majority (56%) of reported breaches involved improper employee access to health records (good news: progressively down from 2008 and 2010). Stolen or lost laptops and other mobile devices (USB drives, smart phones, tablets etc.) were reported by 22% of the organizations, which was about double the figures in the previous two reports. It's worth noting that several of the recent breaches involved lost laptops and backup tapes. As the old Pogo comic strip, Pogo, observed, "we have met the enemy and he is us".