Security improving, but data still vulnerable

Healthcare providers are addressing data security better than in past years, but the challenge also is growing as electronic health records (EHRs) and mobile devices become more common, according to the "2012 HIMSS Analytics Report: Security of Patient Data."

The report is the third installment of a biannual survey of healthcare provider facilities in the United States regarding patient data safety. The survey was commissioned by the information security practice of Kroll Advisory Solutions (previously Kroll Fraud Solutions), a leading risk consulting firm in New York City, in partnership with HIMSS Analytics, a not-for-profit organization in Chicago that promotes data security.

The use of new technologies, in particular mobile devices in the workplace, has skyrocketed, creating new operational efficiencies and security vulnerabilities, the report notes. Particularly with the rise of EHRs, more healthcare providers are entrusting their patient data to third parties, meaning that the scope of patient data security extends far beyond the walls of their own facility, the report says.

In years past, protecting patient privacy was the primary goal for most hospitals as they strived for compliance under the Health Insurance Portability and Accountability Act (HIPAA), the report notes. But as the industry has moved toward more digital frontiers with an aggressive transition to EHRs and mobile-based devices, "the increase in cyber threats and system vulnerabilities necessitates that privacy and security no longer be treated as separate issues."

In 2012, 27% of all respondents to the survey indicated their organization had a security breach in the past 12 months (up from 19% in 2010 and 13% in 2008). Of those who reported a breach, 69% experienced more than one. "The increase is likely due to a more accurate picture of security and privacy than had previously existed within the industry, thanks to more stringent auditing and reporting guidelines," such as the Red Flags Rule and the American Recovery and Reinvestment Act (ARRA) of 2009's Health Information Technology for Economic and Clinical Health Act (HITECH), the report says.

"The positive impact of these changes is that there is a growing level of awareness around the state of patient data security in the U.S. healthcare industry related to increased regulation and the policies put in place to comply with those rules," the researchers write. "However, there is cause for concern, as our new study shows that the security practices in place continue to overemphasize a 'checklist' mentality for compliance without implementing more comprehensive and sustainable changes needed for meaningful improvements in the day-to-day handling of patient Personal Health Information (PHI) and Patient Identity Integrity (PII)."

While increased regulation and better-articulated guidance have led to increases in privacy and security measures within hospitals, they also have contributed to a false sense of security within organizations that comply with these mandates, the report says. "Despite the increase in the number of breach incidents reported, most hospitals continue to believe that if they are more prepared, they are more secure," the report says.

On the whole, individuals responding to the 2012 survey reported they were more prepared than two years ago. Respondents gave themselves a 6.40 on a scale of 1-7 in 2012, compared to 6.06 in 2010 and 5.88 in 2008. That score might indicate confidence in meeting requirements, however, and not necessarily true effectiveness.

"While organizations are actively taking steps to ensure that patient data is secure, they are so focused on meeting compliance requirements that they have little awareness of the efficacy of their security programs," the researchers write.

Ninety-six percent of respondents reported conducting a formal risk analysis at their organization, but 27% reported they had experienced a breach, and 18% were not aware of whether their organization had experienced a data breach in the past 12 months.

Of those who experienced a security breach, only one-quarter said it triggered an update to their organization's security action plan. Instead, 73% said changes in external policies and regulations such as HIPAA and HITECH drove updates to their action plan for securing patient information.

Similar to the studies in 2008 and 2010, respondents were most likely to indicate that breaches at their organizations were caused by an individual employed by the organization at the time of the breach. In 2012, 79% of respondents said that a breach was caused by an employee.

The full report can be found online at