The Healthcare Information and Management System Society ("HIMSS") recently released its "Analytics Report: Security of Patient Data," the third installment of the report in the last six years. Despite increased confidence in security safeguards, healthcare providers reported more breaches than in past years. In 2008, only 13% of respondents reported a security breach. In 2012, that number jumped to 27%. Of those, 69% had multiple breaches in a single year.
Why the increased confidence if breaches are actually on the rise? It could be that almost all healthcare providers are now conducting an annual formal risk analysis. According to 2012 Analytics Report, 96% did so. This analysis may provide a false sense of security if the analysis is completed, but the vulnerabilities identified are not properly investigated or addressed.
Another reason may be that many healthcare companies focus on data breaches from an IT perspective when human resources and employee policies are just as important. For example, although loss of mobile devices remains a greater risk than in the past, human error is still considered the greatest risk. Unauthorized access by employees constituted 56% of breaches last year. Failure of employees to follow policies also creates an increased risk. Indeed, given the steady rise in outsourcing and third party breaches, it is just as important that a third party business associate utilize adequate background checks and ongoing training for employees as the healthcare provider itself.
Last, according to Kroll Advisory Solutions, which commissioned the HIMSS Report, "providers continue to prioritize compliance over security" given that compliance is the focus of HIPAA and the HITECH Act. Even if healthcare providers meet the statutory compliance standards, a security breach can happen and its results can be devastating. At best, a data breach can cause a serious business interruption. Or worse, a provider can face governmental investigations, lawsuits and media attention that can negatively impact branding and patient trust.
At the very least, the HIMSS Report reflects the need for healthcare providers to consider all aspects of security breach risks and prepare a readiness plan should a breach occur.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
