Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


01:36 PM

Data Security Not High On Hospitals' Priority List

Fewer than half of large facilities conduct annual risk assessments, but that might have to change, according to CSC consultant.

Slideshow: Siemens Healthcare DataCenter Virtual Tour
Slideshow: Siemens Healthcare Data Center Virtual Tour
(click for larger image and for full slideshow)
New HIPAA data security requirements and the Meaningful Use criteria for the security of personal health information (PHI) make it essential for hospitals to beef up their security measures, says a new report from the CSC consulting firm. Yet according to a HIMSS study cited in the report, fewer than half of hospitals even do an annual security risk assessment.

According to the rules for stage 1 and the putative rules for stage 2 of Meaningful Use, CSC consultant Jared Rhoads writes in his report, institutions must conduct an annual risk analysis and correct any deficiencies "by implementing the appropriate policies and technical capabilities."

Under the HITECH provisions of the American Recovery and Reinvestment Act, HIPAA security provisions are also being tightened. Proposed regulations--expected to be finalized this fall--require new breach notifications, extend security rules to business associates, further restrict the marketing and sale of PHI, and mandate annual risk assessments.

Yet a HIMSS survey of large healthcare organizations found that just 47% conduct risk annual assessments. Fifty-eight percent of the respondents had no staff members dedicated to security, and 50% spent 3% or less of organizational resources on security.

Rhoads wasn't surprised that so few hospitals put an intense focus on data security. Some hospitals think that security technology alone will protect them, "but it's a lot deeper than that," he told InformationWeek Healthcare. "You have to have the right processes and do continual training and risk assessments."

Rhoads also points out that some hospitals might have been lulled into complacency because the government did not strictly enforce the HIPAA security rules until recently. But now the Office of Civil Rights (OCR) is taking a more aggressive stance toward enforcement. Starting later this year or early in 2012, OCR will start auditing organizations for compliance, he noted. Because of this, the new HIPAA regs, and the Meaningful Use requirement, he expects hospitals to step up their security efforts.

Not that hospitals haven't been trying to improve their security. In HIMSS' 2011 Leadership Survey, 26% of responding CIOs said their organization had experienced a security breach in the past 12 months, slightly more than in the previous year. Thirty-six percent of respondents said this was their biggest security concern. The second largest number of respondents--30%--said that complying with HIPAA and CMS regulations was their biggest security issue. Lack of compliance with a business associate agreement was far down the list, with only 3% of respondents saying this was a major worry.

Rhoads said that it will be difficult for providers to police the security processes of their business associates--and it will be even more problematic if the HIPAA final rule also covers subcontractors of business associates, as proposed. He suggested that healthcare providers include language addressing security in their contracts with business associates. Also, he said, they should hold regular meetings with these entities to review their security policies.

Rhoads also recommended that hospitals encrypt their data, if they don't already. While the proposed HIPAA rule doesn't require that, it does say that encryption is "addressable"--meaning that if you don't encrypt data, you have to destroy it, according to the CSC consultant. Moreover, he noted, there's a safe harbor for encryption: If encrypted data is lost or stolen, the breach doesn't have to be reported in the same way as a breach of unencrypted data.

Two-factor authentication--using two different types of data to authenticate someone logging onto the system--is not going to be required any time soon, Rhoads said. But someday it might be required for remote access to a hospital system or for health information exchange, he added.

Find out how health IT leaders are dealing with the industry's pain points, from allowing unfettered patient data access to sharing electronic records. Also in the new, all-digital issue of InformationWeek Healthcare: There needs to be better e-communication between technologists and clinicians. Download the issue now. (Free registration required.)


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Average Cost of a Data Breach: $3.86 Million
Jai Vijayan, Contributing Writer,  7/29/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-05
Affected versions of Atlassian Fisheye allow remote attackers to view the HTTP password of a repository via an Information Disclosure vulnerability in the logging feature. The affected versions are before version 4.8.3.
PUBLISHED: 2020-08-04
In solidus before versions 2.8.6, 2.9.6, and 2.10.2, there is an bility to change order address without triggering address validations. This vulnerability allows a malicious customer to craft request data with parameters that allow changing the address of the current order without changing the shipm...
PUBLISHED: 2020-08-04
Extreme Analytics in Extreme Management Center before allows unauthenticated reflected XSS via a parameter in a GET request, aka CFD-4887.
PUBLISHED: 2020-08-04
save-server (npm package) before version 1.05 is affected by a CSRF vulnerability, as there is no CSRF mitigation (Tokens etc.). The fix introduced in version version 1.05 unintentionally breaks uploading so version v1.0.7 is the fixed version. This is patched by implementing Double submit. The CSRF...
PUBLISHED: 2020-08-04
An exploitable arbitrary file delete vulnerability exists in SoftPerfect RAM Disk 4.1 spvve.sys driver. A specially crafted I/O request packet (IRP) can allow an unprivileged user to delete any file on the filesystem. An attacker can send a malicious IRP to trigger this vulnerability.