Survey: Encryption Momentum BuildingHealth Data Breach Prevention Steps Highlighted
To prevent data breaches, healthcare organizations are taking a number of critical steps, including ramping up their use of encryption, the second annual Healthcare Information Security Today Survey shows.
Preventing and detecting breaches is one of the top three information security priorities for this year, the survey confirms.
And for now, organizations are more confident about their ability to counter external threats, such as hacker attacks, than they are about countering internal threats, such as staff members losing unencrypted devices.HealthcareInfoSecurity conducted the online survey of information security professionals and other senior executives at hospitals, clinics, health plans and other healthcare organizations. RSA, the Security Division of EMC, sponsored the survey. A full report on the survey results is now available, as well as registration for a free webinar analyzing the results.
The survey shows the top five breach prevention steps for this year are:
- Stepping up training on privacy, security issues;
- Implementing encryption of all mobile devices and removable media;
- Using an audit tool to enhance detection of unauthorized access;
- Applying encryption to all end-user devices;
- Prohibiting storage of any protected health information on mobile devices and removable media.
Encryption also was the most common answer to the open-ended question: "What one factor would most improve information security at your organization?"
Breaches as Catalyst
The focus on encryption is likely spurred, in large part, by the publicity about major health information breaches, a majority of which have been caused by lost or stolen unencrypted devices or media (see: Breach Tally: Encryption Still an Issue).
In an interview about the survey, Eric Cowperthwaite, chief information security officer at Providence Health and Services, a Seattle-based delivery system, says: "The default standard practice ... is going to be to encrypt any device that contains patient data and could leave your physical control."
But for now, the survey confirms that encryption isn't yet a standard practice.
While 64 percent of healthcare organizations encrypt information transmitted over exposed external networks, 58 percent encrypt mobile devices, the survey shows. Only half encrypt backup tapes or desktop PCs, and encryption of mobile storage media, as well as servers and databases, is even less common.
Similarly, the use of advanced authentication techniques for providing access to electronic health records is relatively rare, according to the survey.
Top Priorities, Investments
The survey shows top information security priorities for this year include improving regulatory compliance efforts, improving security training and preventing and detecting breaches. Top planned technology investments include an audit tool or log management system, a data loss prevention system and a mobile device management system.
"Mobile device management is a huge issue if you want to enable a mobile workforce and all of the benefits that it entails," Cowperthwaite says.
About 58 percent of healthcare organizations allow clinicians to use their personal mobile devices for work-related purposes, the survey shows.
The most common way to fund information security, the survey shows, is to ask for money to be allocated out of the overall IT budget as needed for security projects. Only 37 percent of organizations expect their budgets for information security to increase this year.
Unfortunately, the key to winning senior executive support for ramped-up security spending "is to have a breach or have your neighbor have a breach," says Bill Spooner, CIO at Sharp HealthCare, a seven-hospital system based in San Diego, in an interview about the survey. "Typically, the organization that has the breach finds themselves implementing more rigorous procedures - things that they probably should have had in the first place. ... But with the number of reported breaches that we're seeing in the news almost every week, it's not quite as difficult of an argument as it was five or 10 years ago, because we realize that we're all vulnerable."
The HIPAA Omnibus Rule officially increases the penalties for HIPAA non-compliance and spells out a ramping up of HIPAA enforcement efforts.
The compliance deadline for the omnibus rule, which modifies the HIPAA privacy, security and enforcement rules, looms in September. Also on the horizon is the resumption of federal HIPAA compliance audits later this year or early in 2014. And recent federal settlements in the wake of breach investigations have shown that failure to comply with HIPAA can result in hefty financial penalties.
The perception that federal regulators are finally getting serious about enforcing HIPAA could prove to be a powerful incentive for ramping up security investments. The survey results confirm, however, that there's still plenty of work to be done.
A full report on the survey, including an in-depth analysis, is now available.