Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

4/24/2012
04:43 PM
50%
50%

Healthcare's Checklist Security Mentality Failing, Report Says

Despite conducting regular risk analysis, 27% of healthcare organizations suffered a data breach in the last 12 months, twice the percentage reported in 2010. Lack of cohesive security leadership might be to blame, report says.

Is A Personal Health Record In Your Future?
Is A Personal Health Record In Your Future?
(click image for larger view and for slideshow)
Most hospitals--89%--conduct regular risk analysis. However, few ever take actual steps to improve patient data security. With that in mind, healthcare delivery organizations must change their data security strategy from that of a monitoring and reactive stance and adopt proactive measures to mitigate threats, concludes a report commissioned by Kroll Advisory Solutions.

2012 HIMSS Analytics Report: Security of Patient Data, which was prepared in collaboration with the Healthcare Information and Management Systems Society, raised concerns about the continued implementation of security practices that "overemphasize a 'checklist' mentality for compliance without implementing more comprehensive and sustainable changes needed for meaningful improvements in the day-to-day handling of patient Personal Health Information (PHI) and Patient Identity Integrity (PII)."

"Employees at healthcare organizations touch data tens of thousands of times every day, meaning there is a lot of opportunity for data breaches to occur," Jennifer Horowitz, senior director of research at HIMSS Analytics, told InformationWeek Healthcare. She said organizations should ..."have the policies and procedures in place to support a culture in which privacy and security is a top-of-mind focus for organizations."

[ Most of the largest healthcare data security and privacy breaches have involved lost or stolen mobile computing devices. For possible solutions, see 7 Tools To Tighten Healthcare Data Security]

The report was based on interviews with 250 senior information technology executives in December 2011. It presented participants with a scale of one to seven, where one was "not at all compliant" and seven was "compliant with all applicable standards," and asked respondents to rate their level of compliance with the regulations that govern PHI.

Respondents indicated their organizations are most compliant with the Centers for Medicaid and Medicare Services (CMS) regulations, with an average score of 6.64. Respondents were least compliant with the Health Information Technology for Economic and Clinical Health (HITECH) Act, though compliance with this set of regulations was still very high, with an average score of 5.97.

According to Horowitz, many health delivery organizations have created checklists because they are trying to be in compliance with Meaningful Use. However, they need to step up their game and take further action--they should conduct a risk assessment, take action based on the findings of that risk assessment, and implement the appropriate corrective measures to better secure patient data.

The document reiterated much of what has already been uncovered in other reports--namely that the number of data breaches is on the rise, employees often are the source of patient data theft and unauthorized breaches, and the increasing use of mobile devices by physicians and other health providers puts patient data more at risk.

Among the report's key findings:

-- 27% of respondents said their organization had had a security breach in the past 12 months, compared with 19% in 2010 and 13% in 2008. Of those who reported a breach, 69% experienced more than one.

-- 56% said that the source of the breach was unauthorized access to information by an employee.

-- Demonstrating high levels of compliance with HIPAA regulations, 98% said they require third parties to sign a business associate (BA) agreement, and 82% require third parties to notify them of a breach. However, only 56% of respondents said they ensure that their third-party vendors conduct a periodic risk analysis.

-- 22% of respondents who had suffered a breach--twice the percentage (11%) in 2010--said data was compromised when a laptop, handheld device, or computer hard drive was lost or stolen.

The report also looked at who is in charge of patient data safety, and found that several executives hold that responsibility. Twenty-one percent of respondents said the health information management (HIM) director is responsible for patient data security; 19% said it's the chief information officer; 12% each cited the chief privacy officer, chief compliance officer, and chief executive officer; and 10% cited the chief security officer.

"There is still a lack of consensus among the industry as to who has the final say in securing data at an organization," Horowitz said. "If you look across the industry, you don't see a consolidation towards more and more hospitals using a chief security officer. Instead, organizations are assigning the responsibility of securing data to a multitude of titles--the most commonly used being the HIM directors and CIOs."

The 2012 InformationWeek Healthcare IT Priorities Survey finds that grabbing federal incentive dollars and meeting pay-for-performance mandates are the top issues facing IT execs. Find out more in the new, all-digital Time To Deliver issue of InformationWeek Healthcare. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
Capital One Breach: What Security Teams Can Do Now
Dr. Richard Gold, Head of Security Engineering at Digital Shadows,  8/23/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15540
PUBLISHED: 2019-08-25
filters/filter-cso/filter-stream.c in the CSO filter in libMirage 3.2.2 in CDemu does not validate the part size, triggering a heap-based buffer overflow that can lead to root access by a local Linux user.
CVE-2019-15538
PUBLISHED: 2019-08-25
An issue was discovered in xfs_setattr_nonsize in fs/xfs/xfs_iops.c in the Linux kernel through 5.2.9. XFS partially wedges when a chgrp fails on account of being out of disk quota. xfs_setattr_nonsize is failing to unlock the ILOCK after the xfs_qm_vop_chown_reserve call fails. This is primarily a ...
CVE-2016-6154
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
CVE-2019-5594
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
CVE-2019-6695
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.