Snooping staff still a big concern

Healthcare groups show modest security improvements, but are still seriously lacking in several areas
By Erin McCann
10:53 AM
Snooping staff still a big concern
The findings of a new HIMSS healthcare security report have been released, and the data may surprise you. 
Healthcare organizations appear to be taking patients' privacy and security a bit more seriously -- at least in the past 12 months, compared to previous years. Don't be too relieved, however: The numbers, though better, are hardly impressive. 
Moreover, there are still some big time concerns. Employee snooping on patients' medical records, for example, remains the top threat motivator, according to the study.
The findings of the 2013 HIMSS Security Survey, profiling the experiences of some 283 healthcare IT security professionals, detail improvements the industry has made with making privacy and security an issue -- perhaps because of the hefty $810,000 price tag that accompanies a healthcare security breach -- but also highlights additional work that must be done to mitigate insider threat, such as the inappropriate access of data by employees. 
Some 51 percent of healthcare groups have increased their security budgets in the past year, but nearly half of those organizations are still spending 3 percent or less of their overall IT budget on security initiatives that will secure patient data. Also in the last year, 19 percent of respondents reported a security breach, and 12 percent of organizations have had at least one known case of medical identity theft reported by a patient.

[See also: HIPAA data breaches climb 138 percent.]

Recognizing inappropriate data access by insiders as an area at risk of a security breach, healthcare groups have been increasingly utilizing several key technologies related to employee access to patient data, including user access control and audit logs of each access to patient health records. 
Just this past December, the five-hospital Riverside Health System in Southeast Virginia notified 1,000 of its patients they were affected by a HIPAA breach after discovering one of its employees had been snooping on patient records for four years. 
"Healthcare organizations are increasingly deploying technologies to increase data security, but continued analysis is crucial in ensuring the proactive prevention of data breaches within hospitals and physician practices," said Lisa A. Gallagher, vice president, technology solutions at HIMSS in a press release. "Without these anticipatory measures, security of patient data will remain a core challenge within our nation's healthcare organizations."
Other key findings from the survey include the following:
  • 92 percent of organizations conduct a formal risk analysis.
  • 54 percent of organizations report having a tested data breach response plan; 63 percent of these organizations test their plan annually.
  • 93 percent of organizations indicate their organization is collecting and analyzing data from audit logs.
  • Healthcare organizations are using multiple means of controlling employee access to patient information; 67 percent of survey respondents use at least two mechanisms, such as user-based and role-based controls, for controlling access to data.
The survey also pinpoints other shortcomings within the healthcare industry. Barriers to improving an organization's security posture included budget, dedicated leadership and the following:
  • Organizations reported an average score of 4.35 with regard the maturity of their security environment (where one is not at all mature and seven is highly mature).
  • Nearly half of the survey's responding organizations are still spending 3 percent or less of their overall IT budget on security initiatives that will secure patient data.
  • 52 percent of the hospital-based respondents reported that they had a CSO, CISO or other full-time leader in charge of security of patient data.

Although HIMSS data suggests modest improvements in several areas, according to a 2014 breach report by healthcare IT security firm Redspin, the breach numbers are a bit more salient. Using data from the Department of Health and Human Services, their calculations show HIPAA data breaches -- which include both privacy and security violations -- have actually increased 138 percent from last year, and since 2009 some 29.3 million people have had their medical records stolen, inappropriately accessed, hacked or reported missing.