Security survey reveals troubling gaps

Business associates especially lagging
By Bernie Monegain
09:43 AM
Keyhole in computer code

A new survey shows a "significant amount of security risk" occurring across industry, including healthcare organizations.

DataMotion, an email encryption and health information service provider, polled more than 780 IT and business decision-makers across the U.S. and Canada. In particular, the survey focused on individuals who routinely work with sensitive data and compliance regulations in a variety of industries including healthcare, financial services, education and government.

The findings reveal a significant amount of security risk occurring within organizations. Although companies are increasingly putting security and compliance policies in place – with nearly 90 percent of respondents affirming that fact in 2014 (compared to 81 percent in 2013 and 80 percent in 2012) – more than one-third said they don't think employees fully understand their company's security and compliance policies.

[See also: Healthcare's slack security costs $1.6B.]

The findings in healthcare are particularly troubling:

In its focus on the category of business associates and the long tail of HIPAA/HITECH, the survey revealed:

  • Almost 70 percent of respondents whose organizations have a business relationship with a healthcare entity also process protected health information. Yet more than a quarter of these said they were either not a business associate or were unsure if they were.
  • Of those processing a healthcare entity's PHI, 40.5 percent had either not been asked to sign a Business Associate Agreement or were unsure if they had. 
  • HIPAA regulations redefined BAs to include downstream entities such as subcontractors, data backup companies and personal health record providers. Many not previously impacted by HIPAA/HITECH now fall under its long tail. Both of the above numbers show a lack of awareness, placing BAs and the healthcare entities they work with at risk for non-compliance

Additional findings of the overall survey show that nearly 44 percent of respondents admitted that within their company or organization, security and compliance policies are at most only moderately enforced. More than three-quarters of respondents said they believe employees at least occasionally violate their company's compliance and security policies, and more than one in five said those who do so are aware of what they are doing, but violate it anyway to simply get their job done.

[See also: How Kaiser does privacy and security.]

The survey also revealed compliance confidence as lackluster, mobile use is widespread though encryption is not and email encryption continues to lag.

"Though the survey shows us there is year-over-year growth in the number of companies putting security and compliance measures in place, the widespread security risks occurring are of great concern," said Bob Janacek, chief technology officer at DataMotion, in a news release announcing the findings. "Particularly at a time when a number of organizations – both large and small – have experienced serious data breaches, it is essential that companies have strong security and compliance policies in place and that they ensure their employees fully understand and diligently follow them.

"These measures should be across the board," he added, "as the data shows a gaping hole in security when it comes to mobile devices – with many companies permitting their use but not taking into account their lack of email encryption capabilities. Hopefully, this data will provide organizations with a better understanding of what steps need to be taken to ensure security and compliance."