When it comes to security and privacy, healthcare providers say identity management and unauthorized data access by employees are their biggest concerns, according to a new report from the Orem, Utah-based KLAS.
Providers in this report rated unauthorized access by employees as their biggest concern. The second biggest concern stems from bring-your-own-device (BYOD) policies, which create risk for unmonitored system access, encryption failure, and theft or loss of devices containing protected health information (PHI).
According to the report, the stakes have never been higher as providers strive to meet meaningful use and Health Insurance Portability and Accountability Act (HIPAA) requirements and secure PHI in a world of increasing threats, technological evolution, and sophisticated hacking. One oversight can lead to heavy fines and damaging press coverage, it said.
KLAS spoke with 106 providers to find out where they felt the most at risk for breaches and to see which third-party firms they were turning to for assistance. Those providers in this study—"Security and Privacy Perception 2014: High Stakes, Big Challenges"— mentioned 46 different firms for security services within healthcare. Of those mentioned, CynergisTek, Deloitte, and Verizon were mentioned the most, followed by Dell, Fortrex Technologies, Hayes Management Consulting, IBM, and Santa Rosa Consulting.
According to providers, healthcare IT consulting firms are offering, on average, fewer security-related services than firms that focus predominantly on security. Of the health IT consulting firms, Santa Rosa Consulting provides the most services, followed by Dell. Health IT consulting firms mainly offer HIPAA and meaningful use risk assessments, while security-focused firms offer several additional services. Fifty-nine percent of providers said they had used a third-party firm for security and privacy services in the last 18 months, the report found.
One CIO in the report said, “Security and privacy are on my list of the top-three things that keep me up at night. I am really concerned because I just don’t have the right resources watching that. . . . There are people out there who are ill intended and who hack systems and steal medical identities. Every day there is another breach somewhere.”
“We are hearing from providers that security and privacy concerns are becoming a part of their everyday discussions," said Erik Westerlind, report author. "At this point, a market leader has yet to be established. As the stakes get higher, healthcare organizations are using multiple firms for their security and privacy needs to ensure they are covering all of their bases."