The Security Scrutinizer with Howard Anderson

Preventing Breaches: Beyond Compliance

Why Checklist Approach to Security Is Not Enough

Just how common are information breaches in healthcare? It's impossible to know for sure, but a new survey finds that 27 percent of healthcare organizations have experienced a reportable breach in the past 12 months.

See Also: What is next-generation AML?

The survey of 250 healthcare organizations, conducted in December, finds that of those that experienced a breach of any size, 69 percent reported more than one incident.

Healthcare continues to prioritize compliance over security. 

The study, conducted by HIMSS Analytics and commissioned by Kroll Advisory Solutions, includes some surprising results about how breaches affect security strategies. Of the organizations that experienced a breach, only one quarter indicated the incident triggered an update to their organization's security action plan. Instead, such updates are usually triggered by changes in external policies and regulations.

"Healthcare continues to prioritize compliance over security, yet the study shows that increased compliance is not synonymous with increased security," says Brian Lapidus, senior vice president at Kroll.

Regulatory compliance "is not enough to protect organizations from the myriad data security threats," he adds. Because regulations, such as HIPAA, cannot be revised fast enough to keep up with the latest security threats, providers need to go beyond compliance and "fill in the gaps with additional protective measures," he suggests.

Certainly, an effective risk management strategy requires more than a checklist approach focusing solely on compliance. Healthcare organizations need to regularly update their risk assessments to pinpoint threats and then take appropriate mitigation steps, including investments in security technologies, such as encryption for mobile devices that store sensitive data.

About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.