Preventing Breaches: Beyond ComplianceWhy Checklist Approach to Security Is Not Enough
Just how common are information breaches in healthcare? It's impossible to know for sure, but a new survey finds that 27 percent of healthcare organizations have experienced a reportable breach in the past 12 months.
The survey of 250 healthcare organizations, conducted in December, finds that of those that experienced a breach of any size, 69 percent reported more than one incident.
Healthcare continues to prioritize compliance over security.
The study, conducted by HIMSS Analytics and commissioned by Kroll Advisory Solutions, includes some surprising results about how breaches affect security strategies. Of the organizations that experienced a breach, only one quarter indicated the incident triggered an update to their organization's security action plan. Instead, such updates are usually triggered by changes in external policies and regulations.
"Healthcare continues to prioritize compliance over security, yet the study shows that increased compliance is not synonymous with increased security," says Brian Lapidus, senior vice president at Kroll.
Regulatory compliance "is not enough to protect organizations from the myriad data security threats," he adds. Because regulations, such as HIPAA, cannot be revised fast enough to keep up with the latest security threats, providers need to go beyond compliance and "fill in the gaps with additional protective measures," he suggests.
Certainly, an effective risk management strategy requires more than a checklist approach focusing solely on compliance. Healthcare organizations need to regularly update their risk assessments to pinpoint threats and then take appropriate mitigation steps, including investments in security technologies, such as encryption for mobile devices that store sensitive data.