Regulatory compliance alone not protecting practices against data breaches
■ A report notes that resources are being concentrated on government rules and incentives, hindering fuller efforts at guarding against information theft or loss.
- WITH THIS STORY:
- » Levels of compliance with patient data security regulations
- » What puts health data at risk
In an effort to meet industry and government patient privacy regulations, many health care organizations, including physician practices, are stuck in a “check-box mentality” that has taken focus away from other vulnerabilities, an organization behind a report on data security concludes.
The Healthcare Information and Management Systems Society surveyed 250 senior health information technology and data security officers on behalf of Kroll Advisory Solutions, a risk-management firm whose services include data security and data-breach response. The officers reported that they were prepared to meet compliance regulations. On a scale of one to seven, with one being “not at all compliant” and seven being “compliant with all applicable standards,” respondents reported that they were an average of 6.64 in terms of meeting regulations set by the Centers for Medicare & Medicaid Services, a 6.62 for meeting HIPAA regulations, and a 6.41 for meeting state security laws.
However, evidence continues to mount that despite the compliance, health organizations, particularly physician practices, are vulnerable to data breaches. Verizon’s “2011 Data Breach Investigations Report” stated that small organizations, including physician practices, represented the largest number of data breaches in 2011. A previous Kroll report said physician practices were at risk for breaches because they are “the path of least resistance,” with basic security protections overlooked as practices focus on meeting regulatory requirements.
Physician practices and hospitals have similar issues, said Brian Lapidus, senior vice president of Kroll Advisory Solutions. “If you have a limited supply set of time and money and staff, you’re going to focus one of two places,” he said. “So they are focused on compliance” because practices and hospitals are getting financial incentives for doing so — or may risk penalties if they don’t.
There are many ways data breaches can occur, but the proliferation of mobile device use in health care is increasing the risk of breaches for many organizations. Thirty-one percent of the HIMSS/Kroll survey respondents said use of portable devices were putting them at risk.
Laptops and handheld devices were the source of 12% of breaches in 2008, according to data provided by the respondents. In the 2012 survey, nearly twice as many (22%) respondents said those devices were the source of security breaches.
Securing patient data on mobile devices has become such an important facet of data security, the Health and Human Services Office of the National Coordinator for Health Information Technology held a roundtable in March to discuss strategies for mobile device security.
Another big issue is breaches that are caused by those outside a practice. Twenty-eight percent of respondents said sharing data with external parties was putting them at risk.
“There are numerous reports of security breaches that have taken place as a result of the actions taken by business associates handling identifiable health information,” said Lisa Gallagher, senior director of privacy and security for HIMSS.
“Health care organizations need to ensure that their business associates are taking every precaution to safeguard this information,” Gallagher said.
Not only should health care organizations do background checks, extensive training and continuous monitoring of employees, but they should ensure that their business associates are doing the same, she said.
If a breach occurs as the result of the actions of a third party, “your patients aren’t going to care that it was a third party,” Lapidus said. “They didn’t hire them. They came to you.”
A problem many health care organizations are having when it comes to data security is just keeping up with the rapidly changing technology environment. At the ONC’s March roundtable, Steve Heilman, MD, chief medical information officer for Norton Health Care, a large hospital network in Louisville, Ky., underscored this point by sharing his organization’s experience. He said Norton has a “bring your own device” policy, and the ways in which clinicians are using the devices are constantly evolving. For example, physicians are using video chat for patient handoffs, and nurses are using text messaging to communicate with doctors.
“[W]e’re finding out that if you don’t have policies in place to help govern that, it becomes sort of the Wild, Wild West out there in health care,” Dr. Heilman said.