Compliance and Confidence Do Not Equal Security

The 2012 “HIMSS Analytics Report: Security of Patient Data” reveals that even though businesses are increasingly confident that they are better prepared to handle attempted data thefts, the actual number of breaches continue to rise. [1] The HIMSS commissioned Kroll Advisory Solutions for this survey, and Kroll Advisory Solutions senior vice president, Brian Lapidus emphasizes that being in compliance is not actually equal to protecting personal health information (PHI).[2] In spite of increased compliance, breaches have not slowed over the last six years.

Compliance does not equal security. 
Theft was actually the most common form of reported breaches in healthcare in 2010. According to the report, some of the breaches that have impacted 500 or more people including the following:

• 99 incidents involved theft of paper records or electronic media, together affecting approximately 2,979,121 individuals.
• Loss of electronic media or paper records affected approximately 1,156,847 individuals.
• Unauthorized access to, or uses or disclosures of, protected health information affected approximately 1,006,393 individuals.
• Human or technological errors, or other failures to take adequate care of protected health information, affected approximately 78,663 individuals.
• Improper disposal of paper affected approximately 70,279 individuals.

Healthcare is at most risk.
According to the report, “the U.S. healthcare industry is still one of the most at risk for significant data breaches.” As I’ve highlighted last February, the US Healthcare industry is also a key target because of the high value of stolen healthcare records.[3] Healthcare faces the complexities of a changing landscape that involve use of electronic health records, increased use of mobile devices in healthcare, more third party healthcare vendors, and ongoing regulatory changes. All these factors add to the complexity of assuring PHI security.

Healthcare faces a variety of internal vulnerabilities that must be addressed. The reports highlights the following:

False sense of security linked to regulatory compliance. 
In spite of increased compliance, few organization have any insights into the efficacy of their security programs. The report shows that organizations are more likely to update their security action plan in response to new regulations instead of updating in response to actual security breaches.

Employees threaten security through accidental and deliberate breaches.
From unauthorized access to information to lack of attention to policy, staff continually put data at risk. Facilities must assure accountability happens at all levels and that there are sufficient consequences for policy breaches.

Third party vendors threaten security. 
Though most healthcare facilities require vendors to sign Business Associate agreements, only half make sure that their providers “conduct a periodic risk analysis to identify security risks and vulnerabilities.”  They also must make sure vendors are doing background checks on new employees and providing regular security training.

Mobile devices can be a source of risk.
The potential for mobile devices to be stolen or attacked increase risk to data stored on those devices.

Lack of security ownership hurts many organizations.
Many organizations lack a clear security champion who takes responsibility for the overall security picture including compliance issues.

This report challenges organizations to move beyond monitoring and reactive security procedures to a proactive policy that can adjust to the rapidly evolving threats.

[1] The 2012 HIMSS Analytics Report: Security of Patient Data http://www.himssanalytics.org/research/AssetDetail.aspx?pubid=79879&tid=4>
[2] Taylor Armerding. “Compliance isn’t security, but companies still pretend it is, according to survey.” CSO Online, April 19, 2012 http://www.csoonline.com/article/704577/compliance-isn-t-security-but-companies-still-pretend-it-is-according-to-survey>
[3] Healthcare Primed for Major Data Breach, February 5, 2012 https://integracon.wordpress.com/2012/02/05/healthcare-primed-for-major-data-breach/>