New Survey: Compliance is Job #1 in 2012
Healthcare Info Security Survey Outlines Unfinished BusinessHealthcareInfoSecurity conducted the online survey of information security professionals and other senior executives, which was sponsored by Diebold and Experian Data Breach Resolution. A full report on all the results, featuring in-depth analysis, is now available.
The survey pinpoints many shortcomings in healthcare organization's information security efforts, including:
- Twenty-six percent of organizations have yet to conduct a risk assessment, as mandated by HIPAA.
- Forty-three percent grade their ability to counter information security threats as poor, failing or in need of improvement.
- Less than half have a defined information security budget.
- Twenty-five percent say the've experienced an information breach of any size that had to be reported to federal authorities. Some experts say a much larger percentage of organizations have likely experienced breaches, but they may be unaware of the incidents.
New Attitude
The ranking of regulatory compliance as the No. 1 priority for the coming fiscal year could signal a shift in attitudes about security, says attorney Adam Greene of the law firm Davis Wright Tremaine. "Executives are seeing large breaches of patient data on front pages, and it is suddenly becoming a much stronger incentive for them to allocate resources to information security," he says.
See Also: SSH Study: U.S., U.K. and Germany Executive Summary
Plus, the Department of Health and Human Services' Office for Civil Rights has ramped up HIPAA enforcement, including fines imposed on such organizations as Massachusetts General Hospital and UCLA Health System for violations. And the office will launch a HIPAA audit program in 2012.
"It's becoming increasingly clear that the age of strictly voluntary compliance with respect to HIPAA has come to an end, and the threat of expensive settlements and corrective action plans with federal and state regulators is becoming an increasing reality," says Greene, who formerly was an official at the HHS Office for Civil Rights.
Increases in Security Spending
About 43 percent of organizations expect to spend more on information security in the coming fiscal year.
"As healthcare leaders discover how much more vulnerable their information systems are, and the real costs for breaches, the return on investment calculus is shifting," says Christopher Paidhrin, security compliance officer at PeaceHealth Southwest Medical Center in Vancouver, Wash. As more clinicians and others use mobile devices, "that alone will greatly increase vulnerability concerns and costs," he notes.
Security Training
In addition to improving compliance with the HITECH Act, HIPAA and other regulations, a top information security priority for the coming fiscal year is improving security awareness and education for physicians, staff, executives and board members, the survey shows.
About 43 percent of respondents grade the current effectiveness of their security training and awareness activities as poor, failing or in need of improvement.
"A lot of organizations did their initial HIPAA training as required, and that was pretty much the extent of the training they offered," says Terrell Herzig, information security officer at UAB Medicine in Birmingham, Ala.
Top Security Investments
Top technology investments for the coming year include audit logs/log management and mobile device encryption. Audit logs can help ward off internal threats to avoid HIPAA violations. And mobile device encryption is an important breach prevention measure, especially in light of the large number of major breach incidents that have involved the loss or theft of mobile devices.
Some 25 percent of survey respondents report their organization has experienced a breach of any size that had to be reported to the HHS Office for Civil Rights, as required under the HIPAA breach notification rule.
"I expect that far more than 25 percent of organizations are experiencing impermissible uses and disclosures of some size, which have the potential to cause reputational or financial harm to individuals," Greene says. "So either organizations' security practices are better than I thought, which is not really suggested by the rest of the survey responses, or organizations may not be looking very hard."
For complete survey results, and analysis, view the full report.