HIMSS: More hospital security breaches in 2010, but greater awareness
The number of healthcare facilities that reported a breach in security that requires notification increased 6 percent from 13 percent in 2008 to 19 percent in 2010, according to the 2010 HIMSS Analytics report on the security of patient data, commissioned by Kroll Fraud Solutions.
“The positive impact…is that there is a growing level of awareness around the state of patient data security in the U.S. healthcare industry related to the increased regulation and the policies put in place to comply with those rules,” the authors wrote. However, the report warned there is concern that the security practices in place continue to overemphasize “checklist” mentality for compliance without implementing more sustainable changes.
Among the respondents who reported a breach out of the 250 respondents that particpated in the research, nearly three-quarters reported their organization had one (43 percent) or two (28 percent) breaches in the past 12 months. Another 15 percent reported 10 or more breaches during this time, according to the report. The remaining 15 percent had three to nine breaches during the time.
The report stated that malicious intent is still, in comparison with the 2008 HIMSS Analytics report on the same topic, “less likely” to be the cause of most breaches that occurred. Sixty-six percent of respondents in the 2010 study indicated that the source of the breach was unauthorized access to information by an individual employed by the organization at the time of the breach, according to the report.
There continues to be a lack of awareness of the “extremely high costs” associated with a healthcare breach, the report found. Only 15 percent were concerned about a financial impact of a breach, down from 18 percent in 2008. “This is surprising, given the fact that breaches in the healthcare industry ultimately come at a higher overall price than the cost realized in the financial and retail sectors. Full enforcement of HITECH [Act]--including sanctions--which took effect Feb. 22, will make the costs associated with a breach even more burdensome,” the report stated.
According to the report, awareness has yet to translate into organization-wide responsibility that is addressed through a solution that covers all data (cyber and offline) across the entire organization’s continuum of care (including third party vendors).
“Reliance on third-party suppliers and vendors--such as contract caregivers, linen services and cafeteria food and beverage suppliers--must be balanced with due diligence about that third party’s background screening methods, hiring practices and training initiatives aimed at a heightened level of data security for all sensitive personal information, be that personal health information [PHI] or personal identifying information,” stated the study.
The report also found that critical access facilities lagged behind general medical/surgical facilities and academic medical centers in terms of electronic patient health information security policy implementation and ongoing review/auditing.
All respondents working for an academic medical center reported that they have a specific policy in place to monitor electronic PHI access and sharing, the report found. According to Kroll, 95 percent of respondents in general medical/surgical hospitals also have this type of policy in place, while only 74 percent of respondents in critical access hospitals reported such a policy was in place.
For health IT tools, all respondents working for an academic medical center have IT applications with audit functions, compared with 89 percent of respondents at critical access hospitals.
“A similar trend exists with the use of IT audit logs that are created and analyzed for inappropriate access to patient data,” the report stated. “Ninety percent of respondents from academic and general medical/surgical hospitals report that this is the case, compared to 72 percent of respondents working at critical access hospitals.”
“The year 2010 and those that follow will surely turn a focused eye and heightened expectations on healthcare providers, payors and suppliers as the methods by which patient data is created, shared and stored is moved into the digital landscape,” concluded the report. “There is no question that challenges lie along the path…but they must produce serious behavorial change that is nurtured and sustained in the new electronic environment.”
“The positive impact…is that there is a growing level of awareness around the state of patient data security in the U.S. healthcare industry related to the increased regulation and the policies put in place to comply with those rules,” the authors wrote. However, the report warned there is concern that the security practices in place continue to overemphasize “checklist” mentality for compliance without implementing more sustainable changes.
Among the respondents who reported a breach out of the 250 respondents that particpated in the research, nearly three-quarters reported their organization had one (43 percent) or two (28 percent) breaches in the past 12 months. Another 15 percent reported 10 or more breaches during this time, according to the report. The remaining 15 percent had three to nine breaches during the time.
The report stated that malicious intent is still, in comparison with the 2008 HIMSS Analytics report on the same topic, “less likely” to be the cause of most breaches that occurred. Sixty-six percent of respondents in the 2010 study indicated that the source of the breach was unauthorized access to information by an individual employed by the organization at the time of the breach, according to the report.
There continues to be a lack of awareness of the “extremely high costs” associated with a healthcare breach, the report found. Only 15 percent were concerned about a financial impact of a breach, down from 18 percent in 2008. “This is surprising, given the fact that breaches in the healthcare industry ultimately come at a higher overall price than the cost realized in the financial and retail sectors. Full enforcement of HITECH [Act]--including sanctions--which took effect Feb. 22, will make the costs associated with a breach even more burdensome,” the report stated.
According to the report, awareness has yet to translate into organization-wide responsibility that is addressed through a solution that covers all data (cyber and offline) across the entire organization’s continuum of care (including third party vendors).
“Reliance on third-party suppliers and vendors--such as contract caregivers, linen services and cafeteria food and beverage suppliers--must be balanced with due diligence about that third party’s background screening methods, hiring practices and training initiatives aimed at a heightened level of data security for all sensitive personal information, be that personal health information [PHI] or personal identifying information,” stated the study.
The report also found that critical access facilities lagged behind general medical/surgical facilities and academic medical centers in terms of electronic patient health information security policy implementation and ongoing review/auditing.
All respondents working for an academic medical center reported that they have a specific policy in place to monitor electronic PHI access and sharing, the report found. According to Kroll, 95 percent of respondents in general medical/surgical hospitals also have this type of policy in place, while only 74 percent of respondents in critical access hospitals reported such a policy was in place.
For health IT tools, all respondents working for an academic medical center have IT applications with audit functions, compared with 89 percent of respondents at critical access hospitals.
“A similar trend exists with the use of IT audit logs that are created and analyzed for inappropriate access to patient data,” the report stated. “Ninety percent of respondents from academic and general medical/surgical hospitals report that this is the case, compared to 72 percent of respondents working at critical access hospitals.”
“The year 2010 and those that follow will surely turn a focused eye and heightened expectations on healthcare providers, payors and suppliers as the methods by which patient data is created, shared and stored is moved into the digital landscape,” concluded the report. “There is no question that challenges lie along the path…but they must produce serious behavorial change that is nurtured and sustained in the new electronic environment.”