A new report on data breaches in the health care sector reveals the pervasive problem of security threats posed by employees, and indicates that providers often prioritize compliance with government regulations at the expense of implementing comprehensive security measures to safeguard patient information.
“While organizations are actively taking steps to ensure that patient data is secure, they are so focused on meeting compliance requirements that they have little awareness of the efficacy of their security programs,” according to the report “2012 HIMSS Analytics Report: Security of Patient Data,” which was commissioned by the consultancy Kroll Advisory Solutions.
The survey of 250 hospital executives, officers, and managers found that while 96 percent of respondents said their organizations had conducted a formal risk analysis on the security of their patient data, 27 percent reported experiencing a breach of some sort, up from the 19 percent who reported breaches in 2010. This year, 18 percent said they were “not aware of whether or not their organization had actually experienced a data breach in the past 12 months.”
Among those who had experienced a data breach, 69 percent said they had more than one. Yet only one quarter of those who had been breached “said it triggered an update to their organization’s security action plan,” according to the report. “Instead, 73 percent said changes in external policies and regulations such as HIPAA and ARRA HITECH drove updates to their action plan for securing patient information.”
The study also found that “employees continue to be both accidental and deliberate actors within breaches.” Forty-five percent of respondents said that “lack of staff attention to policy puts data at risk,” and 56 percent of respondents reported that a breach stemmed from “unauthorized access to information” by an employee.
Human error, in general, is at play when it comes to data breaches, says Brian Lapidus, a senior vice president at Kroll. Organizations tend on focus on systems, and they don’t think about how their people might cause a key error. But by teaching employees how to interact with data, and by incorporating everyday security awareness into employee training, “you create a culture where everyone’s a risk manager.”
The increasing presence of portable and mobile devices in the workplace also threatens security, according to Kroll:
Twenty-two (22) percent of respondents reporting a breach noted that data was compromised when a laptop, handheld device or computer hard drive was lost or stolen, which is twice the amount (11 percent) reported in 2010.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.
For questions call 1-877-256-2472 or contact us at [email protected]
