Skip to content Skip to navigation

HIMSS Analytics: Compliance Prioritization Puts Patient Data at Risk

April 12, 2012
by Gabriel Perna
| Reprints

According to a new report from the Chicago-based research arm of the Healthcare Information Management and Systems Society (HIMSS), HIMSS Analytics, a focus on the regulations and guidelines governing data security in the healthcare are not resulting in increased security. The study, called The 2012 HIMSS Analytics Report: Security of Patient Data, says there is a rise in data breaches over the last six years even with tight regulatory activity and compliance surrounding reporting and auditing procedures.  

The report indicated more healthcare industry professionals are more prepared than ever to confront the data security risks, giving themselves a 6.40 rating on a scale of one to seven (with with 1 being "not at all prepared" and seven being "extremely prepared"), as compared to 6.06 in 2010 and 5.88 in 2008. Yet despite this, a growing 27 percent of respondents reported a security breach during that same time period (up from 19 percent in 2010 and 13 percent in 2008). Furthermore, 69 percent experienced more than one - indicating that increased preparedness is not synonymous with increased security.

According to the report, human error remains the greatest threat to healthcare data security. In 2012, 79 percent of respondents reported that a security breach was perpetrated by an employee. Fifty-six (56) percent of respondents indicated that the source of a reported breach was unauthorized access to information by an individual employed by the organization at the time of the breach.  

Mobility is also a cause of increased data breaches, according to the report. Thirty-one (31) percent of respondents indicated that information available on a portable device was among the factors most likely to cause a breach (up from 20 percent in 2010 and four percent in 2008). Also, theexpectations of third party data security practices are not keeping pace with the increased outsourcing of patient data, the report says. Essentially, third party breaches are on the rise.

The study cited 18 percent of respondents that experienced a breach in the past 12 months cited third parties as the root cause.  Twenty-eight (28) percent of respondents indicated that "sharing information with external parties" is the top item that put patient data at risk (up from 18 percent in 2010 and 6 percent in 2008).

"Healthcare organizations need to ensure that their business associates are taking every precaution to safeguard this information. We know that most security breaches often are the result of actions taken by employees, so background checks, employee training and continued monitoring of policies and procedures are steps all covered entities should ensure are taken by their business associates,” Lisa Gallagher, senior director of privacy and security for the Healthcare Information and Management Systems Society (HIMSS), said in a statement.

There is also a lack of clarity on who is responsible for data security. Respondents said the HIM Director – 21 percent, CIO – 19 percent, Chief Privacy Officer, Chief Compliance Officer, CEO – 12 percent for each title and Chief Security Officer – 10 percent, were responsible – indicating that one set person has not been defined by the industry.

The report was sponsored by Kroll (New York, N.Y.). HIMSS surveyed 250 healthcare industry professionals participated in this research, conducted in December 2011.



CMS Hospital Compare Website Updated with VA Data

The Centers for Medicare & Medicaid Services (CMS) has announced the inclusion of Veterans Administration (VA) hospital performance data as part of the federal agency’s Hospital Compare website.

CMS Awards Funding to Special Innovation Projects

The Centers for Medicare & Medicaid Services (CMS) has awarded 20, two-year Special Innovation Projects (SIPs) aimed at local efforts to deliver better care at lower cost.

Center of Excellence in Genomic Science to be Established in Chicago

The National Human Genome Research Institute has awarded $10.6 million over five years for the establishment of a new research center in Chicago to advance genomic science.

EHNAC and HITRUST Combine HIPAA Security Criteria, CSF Framework

The Electronic Healthcare Network Accreditation Commission (EHNAC) and the Health Information Trust Alliance (HITRUST) announced plans to streamline their accreditation and certification programs.

Halamka on MACRA Final Rule: “CMS is Listening and I Thank Them”

Health IT notable expert John Halamka, M.D., CIO of Beth Israel Deaconess Medical Center in Boston, recently weighed in on the Medicare Access and CHIP Reauthorization Act (MACRA) final rule.

Texas Patient Care Clinic Hit with Ransomware Attack

Grand Prairie, Texas-based Rainbow Children's Clinic was the victim of a ransomware attack on its IT systems in August, affecting more than 33,000 patients, according to multiple news media reports this week.