Survey: 19% of Hospitals Have Had a Breach

Unauthorized internal access most common
Survey: 19% of Hospitals Have Had a Breach
A new survey of executives at 250 hospitals found that 19% had experienced at least one security breach in the past 12 months, up from 13 percent in a similar survey conducted in early 2008.

Nearly two-thirds of those reporting a breach said the source was unauthorized access to information by an individual employed by the organization at the time of the incident.

Some 79 percent of respondents that had experienced a breach said they provided increased training for employees, compared to only 34 percent who said they made changes to their security policies and procedures.

HIMSS Analytics, the research unit of the Healthcare Information and Management Systems Society, Chicago, conducted the survey in December 2009 as a follow-up to a similar poll in April 2008. Kroll Fraud Solutions, Nashville, Tenn., commissioned both surveys.

Checklist mentality?

The study shows that "security practices in place continue to overemphasize a checklist mentality for compliance without implementing more comprehensive and sustainable changes," according to the executive summary. It notes that "hospitals appear to be focusing on how to handle a breach after it has taken place, rather than focusing on risk assessments." Other survey highlights include:

  • Some 31 percent say "lack of attention by staff to security policy" was most likely to put patient information at risk at their organization, followed by "improper IT security practices in place," cited by 26 percent.

  • In the past six months, 76 percent said they had they had implemented technical IT security measures, such as firewalls or use of encrypted e-mails. Some 72 percent has implemented physical security measures, such as locks or badge access, and 70 percent had updated their security policies and procedures.

  • Only one-third of respondents said the individual responsible for patient data security is a chief security officer, chief privacy officer or chief compliance officer. Some 23 percent said the health information management (medical records) director had the responsibility.

Half of the respondents to the survey, "2010 HIMSS Analytics Report: Security of Patient Data," work at hospitals with fewer than 100 beds. The most common title of those surveyed was health information management director or manager. HIMSS Analytics based the survey on a random sample of its own database of U.S. hospitals.


About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.