Breaches epidemic despite efforts at compliance, says Kroll

By Mike Miliard
10:32 PM

A new study from HIMSS Analytics and Kroll Advisory Solutions shows that, a diligent focus on security compliance notwithstanding, healthcare providers are still badly lacking when it comes to privacy protections. In fact, data breaches have only increased in recent years.

According to the 2012 "HIMSS Analytics Report: Security of Patient Data," increasingly stringent regulatory activity with regard to reporting and auditing procedures – and increased compliance from providers – haven't done anything to prevent an uptick in breaches over the past six years.

The report is the third iteration of Kroll’s biannual survey of healthcare providers nationwide.

Ironically, it shows increasing confidence on the part of its respondents – which included HIM directors, compliance officers, CIOs and more – that they're ready for data risks. On a scale of one to seven, with with one being “not at all prepared” and seven being “extremely prepared," respondents scored themselves an average of 6.40 – compared to 6.06 in 2010 and 5.88 in 2008.

But feeling like one is in adherence with policy prescriptions is not the same as actually protecting personal health information (PHI), says Brian Lapidus, senior vice president for Kroll Advisory Solutions.

"Organizations that have never dealt with one of these issues might think they're prepared," says Lapidus. "But when you get into the reality of actually handling the event, it becomes a whole different ballgame."

Indeed, 27 percent of respondents reported a security breach in the past year – well up from 19 percent in 2010 and 13 percent in 2008. More than two-thirds (69 percent) experienced more than one in the past 12 months.

Clearly, increased preparedness is not synonymous with increased security, says Lapidus. More often than not, providers are "prioritizing compliance over security," he says. "Where we are, with meaningful use and the incentives that come with that, those statutes are really tied more to compliance than they are to security."

Sure, there are security factors built in to the HITECH Act, he adds, "but because the incentive is focused on complying with EHR conversion and meaningful use, I think security might be taking a little bit of a backseat."

That said, the survey did find that that a robust 96 percent of respondents reported conducting a formal risk analysis at their organization in the past 12 months. A good start, says Lapidus – but not enough, in and of itself.

[See also: Risk assessments leave hospitals hamstrung.]

"Risk assessment is the tip of the sword," he says. "And the depth of of that assessment, that analysis, is going to vary from organization to organization. Some use it as a starting point for a deeper dive. They do the risk assessment, they understand their vulnerabilities, and then they use that assessment and the results that come from it as a work list with which they, organizationally, can go through and start working on each of these vulnerable areas."

At the other end of the spectrum, says Lapidus, "you have people who do the risk assessment and say, 'Great, I've done it, this is my checkbox for meaningful use Stage 1, and away we go.'"

That's not enough. The HIMSS/Kroll study offers ample evidence that healthcare is being buffeted by significant and fast-evolving security threats these days – and shows why it's imperative for healthcare organizations to take a proactive and nimble approach to ensuring their patients' personal health information is protected.

(Continued on page 2)

Among the findings of the 2012 "HIMSS Analytics Report: Security of Patient Data," one of the most salient is that human error still poses the greatest risk to data security.

  • In 2012, 79 percent of respondents reported that a security breach was perpetrated by an employee.
  • Fifty-six percent of respondents indicated that the source of a reported breach was unauthorized access to information by an individual employed by the organization at the time of the breach.
  • Forty-five percent of respondents indicated that lack of staff attention to policy puts data at risk – an increase of 14 percent from 2010.

Another significant takeaway is that mobile devices might be great for giving clinicians information at the point of care – but they're not so good at keeping PHI safe. Nearly a third (31 percent) of respondents indicated that information available on a portable device was among the factors most likely to cause a breach (up from 20 percent in 2010 and four percent in 2008).

Mobile represents a "whole new world," says Lapidus. Once upon a time, organizations were worried enough about "keeping their desktops and laptops secure" – and now you have employees bringing mobile phones into the office that also happen to be computers.

"They're going to be a continuing cause of security issues," he says. "The proliferation of them, and and the expansion of the amount of data they store, makes it easy to get data in and out of your organization. You have to be mindful of people bringing things that are innocuous into the workplace and using them to access data."

Lapidus adds that, "I don't think we know yet how organizations are going to truly manage it, other than making sure mobile is part of their policy and procedures."

[See also: Security takes backseat to meaningful use.]

Third parties pose another big problem. With providers lacking the resources to deal with a multitude of demands, outsourcing of patient data is increasing – and so are third party breaches. Nonetheless, security practices aren't doing an adequate job keeping up with this new state of affairs, the survey finds:

  • Eighteen percent of respondents that experienced a breach in the past 12 months cited third parties as the root cause.
  • Twenty-eight percent of respondents indicated that “sharing information with external parties” is the top item that put patient data at risk (up from 18 percent in 2010 and 6 percent in 2008).
  • Half of respondents noted that they required proof of employee training from third parties.
  • A little more than half (56 percent) indicated they require proof of employee background checks.
  • The same percentage of respondents said they verify that their third party vendors conduct a periodic risk analysis to identify security risks and vulnerabilities.

"There are numerous reports of security breaches that have taken place as a result of the actions taken by business associates handling identifiable health information”, said Lisa Gallagher, senior director of privacy and security for HIMSS, in a written statement. "Healthcare organizations need to ensure that their business associates are taking every precaution to safeguard this information … background checks, employee training and continued monitoring of policies and procedures are steps all covered entities should ensure are taken by their business associates.”

"It's a critical aspect, and one that's often overlooked," adds Lapidus. "Organizations outsource plenty of services." Employee benefits, for instance – in which case, "that third party has access to your employee's PII [personally identifiable information] – and maybe their PHI. When they chose that employee benefit provider, was the chief compliance officer involved? Was the chief information security officer involved? I would say it's doubtful."

In other words: Is security the first lens organizations are looking through when sharing their data with third parties? "I don't think it is, and I think it should be," he says. "It requires everybody to have a risk-minded approach."

[See also: Red Flags a ‘no brainer’ say experts.]

Yet another discouraging finding of the HIMSS/Kroll study is that there's still little clarity in most organizations about just who is responsible for data security. Asked who held that role, respondents' answers ranged widely, from HIM director (21 percent) to CIO (19 percent) to chief security officer (10 percent) to chief privacy officer, chief compliance officer and CEO (12 percent each).

"You have 'responsible,' and you have 'accountable' – those are the two pools of people," says Lapidus. "In my mind, the executive board of the organization is responsible, from the CEO to everyone else in the C-suite."

The problem, though, is that "shared responsibility can sometimes lead to a lack of accountability."

Lapidus says he believes that everyone in that C-Suite – "chief information security officer, chief compliance officer, chief privacy officer, general counsel and CIO" – is "accountable for making sure this happens, each in their own way. They should be linked in arms, doing everything they can to protect patient data."

(Continued on page 3)

Presuming this study is undertaken once again in two years' time, Lapidus predicts "the big theme is still going to be mobile" in 2014. "Everybody is still getting their head around it."

Even on the off chance that smartphone privacy and security is solved tomorrow, after all, "mobile in 2014 is going to be very different – and a whole lot more complicated."

Bottom line, organizations "have to figure out how they'll respond" to myriad security threats, on many different fronts.

Of course, it won't be easy.

Health providers "have a lot coming at them," says Lapidus. "They've got meaningful use, they've got EHR implementations, they've got HIPAA requirements" – to say nothing of their normal, day-to-day business of caring for patients.

All that said, "I wouldn't be so quick to give a pass because people are busy," he says. "Then that could be the universal excuse for everything. There is a responsibility for these organizations to protect patient data."

For a copy of the "2012 HIMSS Analytics Report: Security of Patient Data," visit