Survey: Senior management lacks resources for patient privacy

By Molly Merrill
07:00 AM

A new survey shows that IT practitioners believe their organizations are lacking when it comes to protecting patient information.

The study – conducted by Ponemon Institute, an independent researcher on privacy, data protection and information security policy, and sponsored by San Jose-Calif-based LogLogic – surveyed 542 IT practitioners from healthcare organizations with an average of more than 1,000 employees.

According to the study, 61 percent of practitioners believe their organizations don't have enough resources to meet privacy and data security requirements – and 70 percent think senior management doesn't consider it a priority.

“The majority of IT practitioners in our study don’t believe that their organizations have adequate resources to protect patients’ sensitive or confidential information,” said Larry Ponemon, chairman and founder of The Ponemon Institute. “The lack of resources and support from senior management is putting electronic health information at risk.”

The majority of survey respondents say their organizations had one or more data breaches that involved the loss of patient health information. Of those respondents, 33 percent say more than 90 percent of their organization’s data breaches involved electronic health information stored on databases.

According to the study, the most frequently cited security measures used to protect electronic health information are policies and procedures (81 percent), anti-virus and anti-malware systems (69 percent), training and awareness programs (67 percent) and perimeter controls such as multilayered firewalls (61 percent).

Researchers say that since one of the most significant threats is a data breach, it's surprising that only 23 percent of healthcare institutions use data loss prevention (DLP) solutions.

“Without resources and support from senior management, preventing the loss of data may be very difficult,” the study consluded. “We recommend that organizations pursue a strategy of assigning accountability for the protection of electronic health information, appropriate technology to prevent the insider threat (such as DLP solutions) and senior management buy-in for the necessary resources to get the job done right.”

LogLogic also surveyed healthcare IT security professionals at seven large hospitals and medical groups to understand how they balance the benefits of electronic medical records with instituting practices and technology solutions to guard patient confidentiality. Survey respondents say the new HIPAA rules, while not a perfect security solution, are a good start in improving the protection of electronic patient records.

The survey cites two challenges for going electronic and meeting HIPAA and security requirements. The first is understanding the new HIPAA 2.0 rules and applying them to patient data in the organization.

“With HIPAA, it’s all around the patient data,” said the chief compliance officer at a Northeastern medical organization. “You need to make sure patient data is not inadvertently or inappropriately accessed, but first you have to think about where that data resides and how it’s used.”

The second concern is providing management support for implementing proper security measures.

“Our top challenge is really political, not technical,” said the security head at a hospital in the Midwest. “Getting senior management buy-in to get things HIPAA requires done is hard. They see a lot of this as a hindrance to workflow and clinicians. We don’t have a problem with funding. It’s implementing simple security practices that is hardest with senior management.”