Healthcare data breaches are on the rise and a new Healthcare Information and Management Systems Society (HIMSS) report on data security points to lapses in security policy surrounding physical access as the primary culprit.
Proof of physical data breaches as a threat could be found this week in Miami at Memorial Healthcare System hospitals, which mailed letters to 9,500 patients who may have had their records improperly accessed. According to Kerting Baldwin with Memorial Healthcare System, two employees who accessed the records with the intent of filing fraudulent tax returns have been fired and are under criminal investigation.
This anecdotal evidence supports findings by the HIMSS April 2012 data security survey of healthcare providers that found 79 percent of respondents reported a security breach was perpetrated by an employee. Providers also said 56 percent of breaches involved unauthorized access by someone employed by them at the time the incident occurred.
The study was performed with funding and expertise from Kroll Advisory Solutions, an IT security provider. The bi-annual HIMSS study, titled Analytics Report: Security of Patient Data, interviewed 250 healthcare industry professionals nationwide in December of last year.
Data collected from respondents indicated an increase in the number of overall data breaches at 27 percent, up from 19 percent in 2010 and 13 percent in 2008. The survey also showed respondents felt more confident than ever when it comes to data security, scoring themselves an average of 6.40 out of seven for preparedness. Previous respondents were not quite as confident in previous years scoring themselves a 6.06 in 2010 and 5.88 in 2008.
Simply following Meaningful Use guidelines could be giving providers a false sense of security or a lack of vigilance. While following government security guidelines can be useful and lead to incentive dollars, companies must enhance these policies with preventative measures of their own, Brian Lapidus, senior vice president for Kroll, said in a statement.
“Evolving threats will always outpace even the most thorough regulatory requirements,” said Lapidus. “For that reason, organizations will need to constantly assess their security risk levels and evolve their policies and procedures to ensure that they are in the best possible position to protect their patients and their bottom lines.”
Another interesting aspect of the report was the apparent confusion or lack of consistency surrounding who was ultimately responsible for data security. Twenty-one percent of respondents said it was the HIM director, 19 percent said the CIO, and 10 percent of respondents said it was the chief security officer’s responsibility.
Reliance on third parties might be another source of concern for whoever is responsible for data security. The survey showed that 28 percent of respondents felt “sharing information with external parties” is the top behavior that could put patient data at risk. This number increased from 18 percent in 2010 and 6 percent in 2008.
“There are numerous reports of security breaches that have taken place as a result of the actions taken by business associates handling identifiable health information”, said Lisa Gallagher, senior director of privacy and security for HIMSS.
“Healthcare organizations need to ensure that their business associates are taking every precaution to safeguard this information.”