HIMSS Analytics: Compliance Prioritization Puts Patient Data at Risk | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

HIMSS Analytics: Compliance Prioritization Puts Patient Data at Risk

April 12, 2012
by Gabriel Perna
| Reprints

According to a new report from the Chicago-based research arm of the Healthcare Information Management and Systems Society (HIMSS), HIMSS Analytics, a focus on the regulations and guidelines governing data security in the healthcare are not resulting in increased security. The study, called The 2012 HIMSS Analytics Report: Security of Patient Data, says there is a rise in data breaches over the last six years even with tight regulatory activity and compliance surrounding reporting and auditing procedures.  

The report indicated more healthcare industry professionals are more prepared than ever to confront the data security risks, giving themselves a 6.40 rating on a scale of one to seven (with with 1 being "not at all prepared" and seven being "extremely prepared"), as compared to 6.06 in 2010 and 5.88 in 2008. Yet despite this, a growing 27 percent of respondents reported a security breach during that same time period (up from 19 percent in 2010 and 13 percent in 2008). Furthermore, 69 percent experienced more than one - indicating that increased preparedness is not synonymous with increased security.

According to the report, human error remains the greatest threat to healthcare data security. In 2012, 79 percent of respondents reported that a security breach was perpetrated by an employee. Fifty-six (56) percent of respondents indicated that the source of a reported breach was unauthorized access to information by an individual employed by the organization at the time of the breach.  

Mobility is also a cause of increased data breaches, according to the report. Thirty-one (31) percent of respondents indicated that information available on a portable device was among the factors most likely to cause a breach (up from 20 percent in 2010 and four percent in 2008). Also, theexpectations of third party data security practices are not keeping pace with the increased outsourcing of patient data, the report says. Essentially, third party breaches are on the rise.

The study cited 18 percent of respondents that experienced a breach in the past 12 months cited third parties as the root cause.  Twenty-eight (28) percent of respondents indicated that "sharing information with external parties" is the top item that put patient data at risk (up from 18 percent in 2010 and 6 percent in 2008).

"Healthcare organizations need to ensure that their business associates are taking every precaution to safeguard this information. We know that most security breaches often are the result of actions taken by employees, so background checks, employee training and continued monitoring of policies and procedures are steps all covered entities should ensure are taken by their business associates,” Lisa Gallagher, senior director of privacy and security for the Healthcare Information and Management Systems Society (HIMSS), said in a statement.

There is also a lack of clarity on who is responsible for data security. Respondents said the HIM Director – 21 percent, CIO – 19 percent, Chief Privacy Officer, Chief Compliance Officer, CEO – 12 percent for each title and Chief Security Officer – 10 percent, were responsible – indicating that one set person has not been defined by the industry.

The report was sponsored by Kroll (New York, N.Y.). HIMSS surveyed 250 healthcare industry professionals participated in this research, conducted in December 2011.



Community Data Sharing: Eight Recommendations From San Diego

A learning guide focuses on San Diego’s experience in building a community health information exchange and the realities of embarking on a broad community collaboration to achieve better data sharing.

HealthlinkNY’s Galanis to Step Down as CEO

Christina Galanis, who has served as president and CEO of HealthlinkNY for the past 13 years, will leave her position at the end of the year.

Email-Related Cyber Attacks a Top Concern for Providers

U.S. healthcare providers overwhelmingly rank email as the top source of a potential data breach, according to new research from email and data security company Mimecast and conducted by HIMSS Analytics.

Former Health IT Head in San Diego County Charged with Defrauding Provider out of $800K

The ex-health IT director at North County Health Services, a San Diego County-based healthcare service provider, has been charged with spearheading fraudulent operations that cost the organization $800,000.

Allscripts Touts 1 Billion API Shares in 2017

Officials from Chicago-based health IT vendor Allscripts have attested that the company has reached a new milestone— one billion application programming interface (API) data exchange transactions in 2017.

Dignity Health, CHI Merging to Form New Catholic Health System

Catholic Health Initiatives (CHI), based in Englewood, Colorado, and San Francisco-based Dignity Health officially announced they are merging and have signed a definitive agreement to combine ministries and create a new, nonprofit Catholic health system.