Study points to critical gaps in hospital data security
Even as providers work to update their security environments, hospital data continues to be at serious risk, according to the 2010 HIMSS Analytics Report: Security of Patient Data.
Despite new statutory requirements for healthcare privacy and security, the study found critical gaps in data security – and its findings suggested that efforts to keep data safe were often more reactive than proactive, with hospitals dedicating more resources to breach response than to breach prevention.
The report, based on a biannual survey of 250 healthcare professionals nationwide, was commissioned by Kroll Fraud Solutions, a leading provider of data protection and identity theft response services, in partnership with HIMSS Analytics, a wholly-owned, not-for-profit subsidiary of the Healthcare Information and Management Systems Society (HIMSS).
"The results of the latest study are bittersweet to say the least," said Brian Lapidus, Kroll's chief operating officer. "On one hand, healthcare organizations are demonstrating increased awareness of the state of patient data security as a result of heightened regulatory activity and increased compliance. On the other, organizations are so afraid of being labeled ‘noncompliant’ that they overlook the bigger elephant in the room, the still-present risk and escalating costs associated with a data breach. We need to shift the industry focus from a ‘check the box’ mentality around compliance to a more comprehensive, sustained look at data security.”
When the last HIMSS Analytics report on the security of patient data was released in April 2008, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) was the primary regulatory requirement for hospitals. At that time, the study suggested that HIPAA’s focus on medical privacy fostered a significant lack of awareness among healthcare providers around the frequency, cause and seriousness of patient identity theft.
Unfortunately, despite the recent flurry of regulatory activity around patient data security, and the severe financial penalties these laws impose, the same is true in 2010, according the new report, key findings of which include: