Groups bolster privacy, security efforts

But officials say many are still not doing enough
By Erin McCann
12:00 AM

With the federal government's increasing oversight for HIPAA privacy breaches, more healthcare organizations have responded by bolstering their privacy and security budgets in attempts to stay on the offensive, a December HIMSS survey finds.

Officials say, however, that although many of these groups are now hiring more security staff and conducting risk analyses on an annual basis, they're still not doing enough to implement the proper prevention policies and technologies. 

Survey findings, announced at the Healthcare IT News/HIMSS Media Privacy and Security Forum in Boston, reveal that although both hospitals and medical practices nationwide have continued to bolster their privacy and security budgets over the past five years, the percentage of the budget dedicated to these issues remains a cause for concern. "Over the last five years, we see a significant portion of the organizations say that their privacy and security funding is between 1 and 3 percent of their budget," says Lisa Gallagher, senior director of privacy and security for HIMSS. "That's still a pretty concerning number."

Bob Krenek, senior director at Experian Data Breach Resolution, says one of the biggest disconnects for providers surrounding privacy and security is not always the technology implementation but rather involves the lack of policy procedures in place. "Policy is as important as putting the programs in place," he says. He adds that many healthcare organizations now perform mock data breaches for unknowing staff, who are required to make the appropriate calls and follow specific data breach procedures.

According to data from the Department of Health and Human Services (HHS), more than 21 million patient records have been compromised in healthcare data breaches since 2009. What's even more concerning, Gallagher adds, is that "data breaches involving 499 or fewer are not counted in the HHS final count." She estimates that somewhere between 40-45 million patient records might have been compromised. The number can't be confirmed, as the data isn't all there, she adds, but it's a more accurate number based on healthcare organizations' reporting.

"[Electronic health] information is accessible from anywhere in the world," says patient privacy advocate and Washington, D.C., attorney James Pyles. "Once it's stolen electronically, it can exist forever, and it can exist in an infinite number of places."

Pyles isn't against health information technology, but he says if it's not tightly controlled, it wields the potential to bring down the whole system. "As we see these massive breaches taking place, they're then being followed by government investigations and civil monetary penalties being imposed of hundreds of thousands and millions of dollars, which is only diverting dollars from healthcare," he said. "It's diverting it to penalties."

A bit of good news, however, is that more organizations are at least attempting to avoid these penalties. For instance, the majority of healthcare organizations are conducting regular risk analyses, with 90 percent of hospitals and 65 percent of medical practices doing so.

Nearly half (43 percent) of survey respondents test their data breach response plans, with 81 percent saying they test their plans annually. Some 64 percent of respondents test their IT security plan, with 78 percent testing them annually.

Findings also show data and security tools to be widely used among hospitals and medical practices, with more than 97 percent having firewall tools and 92 percent having user access controls. Disaster recovery, offsite storage, wireless security protocols, and electronic signatures security tools were also used by more than 71 percent of respondents overall.

Certain tools, however, had lower adoption rates specifically among medical practices. Intrusion prevention and detection, for example, had adoption rates of only 36 percent  -  this in comparison to the more than 71 percent of hospitals that currently use these tools.

To providers and IT professionals who are looking to take the next step, Krenek says when "getting things done, it's going to have to come from the top down." He advises healthcare IT professionals to go to the hospital or organization board with proposals and requests for increased privacy and security policies. 

Considering more than 50 percent of all HIPAA breach cases the HHS Office for Civil Rights has investigated involves the theft of an electronic device or server, "The easiest way to protect that data is encrypting it," Krenek adds. "It's not expensive, and it's probably the easiest thing to do."