Regulatory compliance alone not protecting practices against data breaches

A report notes that resources are being concentrated on government rules and incentives, hindering fuller efforts at guarding against information theft or loss.

By — Posted April 26, 2012

Print  |   Email  |   Respond  |   Reprints  |   Like Facebook  |   Share Twitter  |   Tweet Linkedin

In an effort to meet industry and government patient privacy regulations, many health care organizations, including physician practices, are stuck in a “check-box mentality” that has taken focus away from other vulnerabilities, an organization behind a report on data security concludes.

The Healthcare Information and Management Systems Society surveyed 250 senior health information technology and data security officers on behalf of Kroll Advisory Solutions, a risk-management firm whose services include data security and data-breach response. The officers reported that they were prepared to meet compliance regulations. On a scale of one to seven, with one being “not at all compliant” and seven being “compliant with all applicable standards,” respondents reported that they were an average of 6.64 in terms of meeting regulations set by the Centers for Medicare & Medicaid Services, a 6.62 for meeting HIPAA regulations, and a 6.41 for meeting state security laws.

However, evidence continues to mount that despite the compliance, health organizations, particularly physician practices, are vulnerable to data breaches. Verizon’s “2011 Data Breach Investigations Report” stated that small organizations, including physician practices, represented the largest number of data breaches in 2011. A previous Kroll report said physician practices were at risk for breaches because they are “the path of least resistance,” with basic security protections overlooked as practices focus on meeting regulatory requirements.

Physician practices and hospitals have similar issues, said Brian Lapidus, senior vice president of Kroll Advisory Solutions. “If you have a limited supply set of time and money and staff, you’re going to focus one of two places,” he said. “So they are focused on compliance” because practices and hospitals are getting financial incentives for doing so — or may risk penalties if they don’t.

Security risks

There are many ways data breaches can occur, but the proliferation of mobile device use in health care is increasing the risk of breaches for many organizations. Thirty-one percent of the HIMSS/Kroll survey respondents said use of portable devices were putting them at risk.

Laptops and handheld devices were the source of 12% of breaches in 2008, according to data provided by the respondents. In the 2012 survey, nearly twice as many (22%) respondents said those devices were the source of security breaches.

Securing patient data on mobile devices has become such an important facet of data security, the Health and Human Services Office of the National Coordinator for Health Information Technology held a roundtable in March to discuss strategies for mobile device security.

Another big issue is breaches that are caused by those outside a practice. Twenty-eight percent of respondents said sharing data with external parties was putting them at risk.

“There are numerous reports of security breaches that have taken place as a result of the actions taken by business associates handling identifiable health information,” said Lisa Gallagher, senior director of privacy and security for HIMSS.

“Health care organizations need to ensure that their business associates are taking every precaution to safeguard this information,” Gallagher said.

Not only should health care organizations do background checks, extensive training and continuous monitoring of employees, but they should ensure that their business associates are doing the same, she said.

If a breach occurs as the result of the actions of a third party, “your patients aren’t going to care that it was a third party,” Lapidus said. “They didn’t hire them. They came to you.”

A problem many health care organizations are having when it comes to data security is just keeping up with the rapidly changing technology environment. At the ONC’s March roundtable, Steve Heilman, MD, chief medical information officer for Norton Health Care, a large hospital network in Louisville, Ky., underscored this point by sharing his organization’s experience. He said Norton has a “bring your own device” policy, and the ways in which clinicians are using the devices are constantly evolving. For example, physicians are using video chat for patient handoffs, and nurses are using text messaging to communicate with doctors.

“[W]e’re finding out that if you don’t have policies in place to help govern that, it becomes sort of the Wild, Wild West out there in health care,” Dr. Heilman said.

Back to top


Levels of compliance with patient data security regulations

Health care organizations surveyed for the biennial “HIMSS Analytics Report: Security of Patient Data,” reported a readiness to comply with a variety of industry and government regulations. They were asked to rank their level of compliance on a scale of one to seven, with one being “not at all compliant” and seven being “compliant with all applicable standards.”

Regulation Compliance level
CMS regulations 6.64
HIPAA regulations 6.62
State security laws 6.41
Red flags rule 6.13
HITECH/Stimulus package rules 5.97

Source: “2012 HIMSS Analytics Report: Security of Patient Data,” April

Back to top

What puts health data at risk

Despite their readiness to meet government and industry regulations regarding patient data privacy, health care organizations say they face other challenges that make them vulnerable to breaches. Respondents to a Healthcare Information and Management Systems Society survey could give multiple responses.

Challenge Said it puts them at risk
Lack of staff attention to policy 45%
Information available on portable device 31%
Sharing information with external parties 28%
Number of contract employee 27%
Lack of effective employee education 27%
Improper IT security practices 24%
Absence of risk analyses 20%
Paper-based charts not secure 20%
Lack of required IT security solutions 17%
Lack of data breach incident response plan 12%
Electronic information not secure 11%

Source: “2012 HIMSS Analytics Report: Security of Patient Data,” April

Back to top



Read story

Confronting bias against obese patients

Medical educators are starting to raise awareness about how weight-related stigma can impair patient-physician communication and the treatment of obesity. Read story

Read story


American Medical News is ceasing publication after 55 years of serving physicians by keeping them informed of their rapidly changing profession. Read story

Read story

Policing medical practice employees after work

Doctors can try to regulate staff actions outside the office, but they must watch what they try to stamp out and how they do it. Read story

Read story

Diabetes prevention: Set on a course for lifestyle change

The YMCA's evidence-based program is helping prediabetic patients eat right, get active and lose weight. Read story

Read story

Medicaid's muddled preventive care picture

The health system reform law promises no-cost coverage of a lengthy list of screenings and other prevention services, but some beneficiaries still might miss out. Read story

Read story

How to get tax breaks for your medical practice

Federal, state and local governments offer doctors incentives because practices are recognized as economic engines. But physicians must know how and where to find them. Read story

Read story

Advance pay ACOs: A down payment on Medicare's future

Accountable care organizations that pay doctors up-front bring practice improvements, but it's unclear yet if program actuaries will see a return on investment. Read story

Read story

Physician liability: Your team, your legal risk

When health care team members drop the ball, it's often doctors who end up in court. How can physicians improve such care and avoid risks? Read story

  • Stay informed
  • Twitter
  • Facebook
  • RSS
  • LinkedIn