Snooping staff still a big concern

Healthcare groups show modest security improvements, but are still seriously lacking in several areas
By Erin McCann
10:53 AM
Snooping staff still a big concern
The findings of a new HIMSS healthcare security report have been released, and the data may surprise you. 
 
Healthcare organizations appear to be taking patients' privacy and security a bit more seriously -- at least in the past 12 months, compared to previous years. Don't be too relieved, however: The numbers, though better, are hardly impressive. 
 
Moreover, there are still some big time concerns. Employee snooping on patients' medical records, for example, remains the top threat motivator, according to the study.
 
 
The findings of the 2013 HIMSS Security Survey, profiling the experiences of some 283 healthcare IT security professionals, detail improvements the industry has made with making privacy and security an issue -- perhaps because of the hefty $810,000 price tag that accompanies a healthcare security breach -- but also highlights additional work that must be done to mitigate insider threat, such as the inappropriate access of data by employees. 
 
Some 51 percent of healthcare groups have increased their security budgets in the past year, but nearly half of those organizations are still spending 3 percent or less of their overall IT budget on security initiatives that will secure patient data. Also in the last year, 19 percent of respondents reported a security breach, and 12 percent of organizations have had at least one known case of medical identity theft reported by a patient.

[See also: HIPAA data breaches climb 138 percent.]
 

Recognizing inappropriate data access by insiders as an area at risk of a security breach, healthcare groups have been increasingly utilizing several key technologies related to employee access to patient data, including user access control and audit logs of each access to patient health records. 
 
Just this past December, the five-hospital Riverside Health System in Southeast Virginia notified 1,000 of its patients they were affected by a HIPAA breach after discovering one of its employees had been snooping on patient records for four years. 
 
 
"Healthcare organizations are increasingly deploying technologies to increase data security, but continued analysis is crucial in ensuring the proactive prevention of data breaches within hospitals and physician practices," said Lisa A. Gallagher, vice president, technology solutions at HIMSS in a press release. "Without these anticipatory measures, security of patient data will remain a core challenge within our nation's healthcare organizations."