Survey: 19% of Hospitals Have Had a BreachUnauthorized internal access most common
Nearly two-thirds of those reporting a breach said the source was unauthorized access to information by an individual employed by the organization at the time of the incident.
Some 79 percent of respondents that had experienced a breach said they provided increased training for employees, compared to only 34 percent who said they made changes to their security policies and procedures.
HIMSS Analytics, the research unit of the Healthcare Information and Management Systems Society, Chicago, conducted the survey in December 2009 as a follow-up to a similar poll in April 2008. Kroll Fraud Solutions, Nashville, Tenn., commissioned both surveys.
The study shows that "security practices in place continue to overemphasize a checklist mentality for compliance without implementing more comprehensive and sustainable changes," according to the executive summary. It notes that "hospitals appear to be focusing on how to handle a breach after it has taken place, rather than focusing on risk assessments." Other survey highlights include:
- Some 31 percent say "lack of attention by staff to security policy" was most likely to put patient information at risk at their organization, followed by "improper IT security practices in place," cited by 26 percent.
- In the past six months, 76 percent said they had they had implemented technical IT security measures, such as firewalls or use of encrypted e-mails. Some 72 percent has implemented physical security measures, such as locks or badge access, and 70 percent had updated their security policies and procedures.
- Only one-third of respondents said the individual responsible for patient data security is a chief security officer, chief privacy officer or chief compliance officer. Some 23 percent said the health information management (medical records) director had the responsibility.
Half of the respondents to the survey, "2010 HIMSS Analytics Report: Security of Patient Data," work at hospitals with fewer than 100 beds. The most common title of those surveyed was health information management director or manager. HIMSS Analytics based the survey on a random sample of its own database of U.S. hospitals.