- In 2012, 79 percent of respondents reported that a security breach was perpetrated by an employee.
- Fifty-six (56) percent of respondents indicated that the source of a reported breach was unauthorized access to information by an individual employed by the organization at the time of the breach.
- Forty-five (45) percent of respondents indicated that lack of staff attention to policy puts data at risk —an increase of 14 percent from 2010.
The mobility of patient data made possible by new technologies and the proliferation of mobile devices in the workplace is a leading factor in healthcare data security breaches.
- Thirty-one (31) percent of respondents indicated that information available on a mobile device (e.g., cell phone, tablet or laptop) was among the factors most likely to cause a breach (up from 20 percent in 2010 and four percent in 2008).
The industry’s expectations of third party data security practices are not keeping pace with the increased outsourcing of patient data; third party breaches are on the rise.
- Eighteen (18) percent of respondents that experienced a breach in the past 12 months cited third parties as the root cause.
- Twenty-eight (28) percent of respondents indicated that “sharing information with external parties” is the top item that put patient data at risk (up from 18 percent in 2010 and 6 percent in 2008).
- Half of respondents noted that they required proof of employee training from third parties.
- A little more than half (56) percent indicated they require proof of employee background checks.
- Approximately half (56 percent) of respondents indicated they verify that their third party vendors conduct a periodic risk analysis to identify security risks and vulnerabilities.
“There are numerous reports of security breaches that have taken place as a result of the actions taken by business associates handling identifiable health information,” said Lisa Gallagher, senior director of privacy and security for the Healthcare Information and Management Systems Society (HIMSS). “Healthcare organizations need to ensure that their business associates are taking every precaution to safeguard this information. We know that most security breaches often are the result of actions taken by employees, so background checks, employee training and continued monitoring of policies and procedures are steps all covered entities should ensure are taken by their business associates.”
Another surprising outcome of the 2012 report is that, despite increased regulatory oversight, there continues to be a lack of clarity around who is responsible for data security. When asked which individual within their organization was responsible for the security of patient data, the answers ranged dramatically:
- HIM Director – 21 percent
- CIO – 19 percent
- Chief Privacy Officer, Chief Compliance Officer, CEO – 12 percent for each title
- Chief Security Officer – 10 percent
While responses for many titles have remained consistent from year to year, those respondents naming Chief Security Officers – once considered the “owner” of data security – dropped dramatically from 2010 (14 percent) and 2008 (22 percent), illustrating how responsibility is continuing to be spread across other titles throughout the industry.
“With the understanding that everyone from cafeteria workers to surgeons will come into contact with patient data and that they will do so in even more ways – from work computers, through paper records, via mobile devices and more – it becomes clear that evolving threats will always outpace even the most thorough regulatory requirements,” said Lapidus. “For that reason, organizations will need to constantly assess their security risk levels and evolve their policies and procedures to ensure that they are in the best possible position to protect their patients and their bottom lines.”
Survey Methodology: A total of 250 healthcare industry professionals participated in this research, conducted in December 2011. They included Health Information Management directors/managers (38 percent), compliance officers (24 percent), senior information technology (IT) executives (21 percent), privacy officers (five percent), chief security officers (two percent) and others associated with information management (10 percent). Most respondents were from small to mid-sized healthcare facilities, and only one respondent per organization was invited to participate in this survey.
Please visit the information security practice of Kroll Advisory Solutions website for a copy of the 2012 HIMSS Analytics Report: Security of Patient Data and for more information on best practices in healthcare data security.
About Kroll Advisory Solutions
Kroll Advisory Solutions, the global leader in risk mitigation and response, delivers a wide range of solutions that span investigations, due diligence, compliance, cyber security and physical security. Clients partner with Kroll Advisory Solutions for the highest-value intelligence and insight to drive the most confident decisions about protecting their companies, assets and people.
Kroll Advisory Solutions is recognized for its expertise, with 40 years of experience meeting the demands of dynamic businesses and their environments around the world. Headquartered in New York with offices in 29 cities across 17 countries, Kroll Advisory Solutions has a multidisciplinary team of 700 employees. For more information, visit: http://www.krolladvisorysolutions.com.
About HIMSS Analytics
HIMSS Analytics is a wholly owned not-for-profit subsidiary of the Healthcare Information and Management Systems Society. The company collects and analyzes healthcare data related to IT processes and environments, products, IS department composition and costs, IS department management metrics, healthcare trends and purchase-related decisions. HIMSS Analytics delivers high quality data and analytical expertise to healthcare delivery organizations, healthcare IT companies, state governments, financial companies, pharmaceutical companies, and consulting firms. Visit http://www.himssanalytics.org for more information.
For the original version on PRWeb visit: http://www.prweb.com/releases/prweb2012/04-11-2012/prweb9390516.htm