Health Info Security: Much to be DoneSurveys Identify Need to Make Security a Higher Priority
The research points to the need for those entrusted with patient data to place greater priority on security. It also makes it clear that toughened federal regulations are less than effective if they aren't aggressively enforced.
A recent consumer poll by Zogby International on behalf of Patient Privacy Rights found that 97 percent of Americans said they did not support their doctor, healthcare organization or insurer sharing or selling their data without their prior approval, and 93 percent said they alone should decide who gets access to their data in an electronic health record. Who are they concerned about? Poll responders named the government and corporations as their biggest concerns, but also identified researchers, nosy employees and people with malicious intent.
Protecting EHRsConsumer confidence in organizations' ability to protect information stored in electronic systems is low. Is consumer concern about the privacy of their healthcare information well-founded? To answer this question we need to first present a credible threat.
Although many healthcare organizations are serious about protecting patient data, survey after survey tells the story that some apparently are not.
According to a new cybersecurity report from Hewlett Packard, computer threats are becoming more sophisticated and the threat more organized. And the major findings of the analysis apply directly to healthcare.
The report identified the use of social media and attacks against web applications as major new threat sources. Healthcare organizations are increasing their use of social media to reach out to more potential patients. Web applications are being used to connect to more users. And healthcare continues to struggle with patching and configuration management, making older systems susceptible.
The official federal list of major healthcare information breaches also provides a good source of information. Incidents listed include theft of devices, hacking, identity theft and inappropriate disposal of data and paper records.
A small survey of hospitals by the Ponemon Institute found that most attributed breaches of patient data to inadequate security budgets and lack of trained security staff. And most said protecting patient data was not a top priority at their organization.
It helps to view these observations within the context of other surveys, such as the 2010 HIMSS Security Survey, which focused on security readiness.
The HIMSS survey found that hospital and clinic security budgets have not increased, while slightly more than half of organizations have a dedicated security officer. The majority of respondents rated the maturity of their security program as mid-range.
Funding for SecuritySo even with the passage of the HITECH Act, which toughened penalties for violating the HIPAA privacy and security rules, winning security funding continues to be a challenge.
Respondents to the Ponemon said that federal regulations have not improved the safety of patient records, which is consistent with the stagnant results of the HIMSS surveys over the last three years regarding the size of security budgets.
The HIMSS survey observed that detection is still not the focus of healthcare security; auditing is largely reactive and reliant on manual efforts. This adds credence to the Ponemon survey's finding that 58 percent of those polled have little confidence in their organization's ability to detect breaches, and 41 percent that had a breach discovered it only as a result of a patient complaint.
Sophisticated Security ThreatsIn light of the HP report's findings that computer threats are becoming more sophisticated, the security shortcomings identified in the various surveys are troubling.
Both the Ponemon and HIMSS surveys found that organizations with a strong security posture -- those that conducted risk analysis and remediated findings -- were less likely to suffer major breaches. They also found that those organizations that had implemented an EHR believed that they had improved security of patient data as a result.
Clearly those organizations that are serious about security have seen the benefits of their commitment. Those security requirements, such as the security functionality within EHRs, which are not optional are making a difference.
The problem is not security capability, but making security a priority and devoting dedicated resources to it.
Protecting EHRsAlthough many healthcare organizations are serious about protecting patient data, survey after survey tells the story that some apparently are not.
Where a lack of resources is a real issue, perhaps the HHS Office of the National Coordinator for Health IT should look for ways to provide support, possibly through the regional extension centers, which offer EHR education.
But for those organizations that have yet to make security a priority, regardless of resources, perhaps the time has come for the HHS Office for Civil Rights to get serious about carrying out the toughened penalties for HIPAA security and privacy rule violations called for under the HITECH Act.
Mac McMillan is co-founder and CEO of CynergisTek Inc., an Austin, Texas-based firm specializing in information security and regulatory compliance.