Healthcare Industry Continues to Overlook Critical Gaps in Data Security, According to New Bi-Annual Report

Share Article

Despite new statutory and regulatory requirements for healthcare privacy and security, a new survey of U.S. healthcare organizations suggests that while organizations are updating their security environments, data continues to be at risk

As the healthcare industry prepares for a major shift to electronic health records (EHRs) over the next several years, a new bi-annual report provides data that shows that providers are still having difficulty adequately securing patient data in a rapidly changing landscape. The 2010 HIMSS Analytics Report: Security of Patient Data indicates that healthcare organizations are actively taking steps to ensure that patient data is secure.

However, these efforts appear to be more reactive than proactive, as hospitals dedicate more resources toward breach response vs. breach prevention through risk management activities. The report, which surveys healthcare organizations nationwide, was commissioned by Kroll Fraud Solutions, a leading provider of data protection and identity theft response services.

“The results of the latest study are bittersweet to say the least”, said Brian Lapidus, chief operating officer for Kroll Fraud Solutions. “On one hand, healthcare organizations are demonstrating increased awareness of the state of patient data security as a result of heightened regulatory activity and increased compliance. On the other, organizations are so afraid of being labeled ‘noncompliant’ that they overlook the bigger elephant in the room, the still-present risk and escalating costs associated with a data breach. We need to shift the industry focus from a ‘check the box’ mentality around compliance to a more comprehensive, sustained look at data security.”

When the 2008 HIMSS Analytics Report: Security of Patient Data was released in April 2008, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) was the primary regulatory requirement dominating the healthcare space. At the time, the study suggested that HIPAA’s focus on medical privacy fostered a significant lack of awareness among healthcare providers around the frequency, cause and seriousness of patient identity theft. According to the latest study, the same is true in 2010, despite the flurry of regulatory activity around patient data security over the past two years and the severe financial penalties these laws impose.

Key report findings include:

1. Despite new regulatory activity, including the implementation of Red Flags Rule and HITECH Act, and increased compliance among healthcare providers, the reporting of healthcare breaches is on the rise.

  •     The majority of survey participants indicated that they were compliant with existing laws and regulations. Average responses were above a 6.0 (on a scale of 1-7, with 7 being the highest level of compliance) for almost all laws and regulations, including CMS Regulations, HIPAA, State Security Laws and Red Flags Rule. Only HITECH scored lower (5.75), most likely due to the fact that HITECH was still not fully implemented at the time of the survey.
  •     The number of healthcare organizations that reported a breach increased by six percent in 2010 to 19 percent of total respondents – up from 13 percent in 2008.
  •     When asked to rate their level of “preparedness” for a future security breach, respondents from organizations having experienced a breach cited a preparedness level of 6.06 (on a scale of 1-7, with 7 being most prepared).

2. Healthcare organizations continue to underestimate the high costs of a data breach, despite the fact that penalties for HITECH violations can reach as high as $1.5 million dollars.(1)

  •     Patient satisfaction was most frequently cited as the primary impact of a data breach on their organization (38 percent), while only 15 percent cited the financial costs – down from 18 percent in 2008.

3. Healthcare organizations continue to think of data security in specific silos (IT, employees, etc.) and not as an organization-wide responsibility, which creates unwanted gaps in policies and procedures.

  •     87 percent of respondents indicated that they have policies in place to monitor access and sharing of electronic health information, yet research shows that 84 percent of healthcare breaches since 2003 were due to “low tech” incidents such as lost or stolen laptops, improper disposal of documents, stolen backup tapes, etc.(2)
  •     60 percent of respondents said they required third party vendors to provide proof of employee training and only half indicated that they required third party vendors to provide proof of employee background checks. As organizations prepare for the broader sharing of electronic health records across massive networks of providers, payors, state and federal repository systems, third party involvement is only expected to increase in the coming years.

“We’d still like to see increasing maturity of data security function – from a checklist compliance approach to an organization-wide risk management approach,” said Lisa Gallagher, senior director of privacy and security for HIMSS. “We’d like to see recognition of security risk as a business risk and have the function appropriately supported and resourced by executive management. The healthcare environment is only going to become more complex over time with the emphasis on health information exchange and new technology approaches such as cloud computing.”

The 2010 HIMSS Analytics Report also noted significant differences between security policies and procedures by hospital type. Critical access facilities lagged behind general medical/surgical facilities and academic medical centers in several key areas, including:

  •     Monitoring Electronic Patient Health Information Access and Sharing: 74 percent of respondents from critical access hospitals said their organization has such policies in place, as compared with 100 percent of academic medical center respondents and 95 percent of general medicine/surgical.
  •     Auditing Processes for Sharing Patient Data with Outside Entities: 61 percent of respondents from critical access hospitals reported conducting regular audits, as compared to 90 percent from academic medical centers and 80 percent from general medicine/surgical hospitals.

Survey Methodology: A total of 250 healthcare industry professionals participated in this research conducted in December 2009. They included Health Information Management (HIM) managers (45 percent), senior information technology (IT) executives (25 percent), compliance and privacy officers (25 percent), chief security officers (4 percent) and others associated with information management (1 percent). Most respondents were from small to mid-sized healthcare facilities.

For a copy of the 2010 HIMSS Analytics Report: Security of Patient Data and for more information on best practices in healthcare data security, please visit:

About Kroll

Kroll, the world's leading risk consulting company, provides a broad range of investigative, intelligence, financial, security and technology services to help clients reduce risks, solve problems and capitalize on opportunities. Kroll Inc. is a wholly-owned subsidiary of Marsh & McLennan Companies, Inc. (NYSE: MMC), the global professional services firm. Kroll began providing identity theft solutions in 1999 and created its Fraud Solutions practice in 2002 in response to increasing requests from clients for counsel and services associated with the loss of sensitive personal information, and related identity protection and restoration issues facing organizations and individuals.

Since then, Kroll’s Fraud Solutions clients have included Fortune 500 companies, non-profit organizations, and government entities dealing with healthcare, financial services, insurance, consumer service, and any activity involving the collection and use of personal information. Kroll’s Fraud Solutions team presently serves over 10,000 businesses and millions of individual consumers. For more information, visit: For expert commentary on the latest data security and identity theft issues, visit the Kroll Fraud Solutions blog “A Dialogue on Data Security” at

About HIMSS Analytics

HIMSS Analytics supports improved decision-making for healthcare organizations, and healthcare IT companies and consulting firms by delivering high quality data and analytical expertise. The company collects and analyzes healthcare organization data relating to IT processes and environments, products, IS department composition and costs, IS department management metrics, healthcare delivery trends and purchasing related decisions.

HIMSS Analytics is a wholly-owned, not-for-profit subsidiary of the Healthcare Information and Management Systems Society (HIMSS).

1. Section 13410(d) of the Health Information Technology for Economic and Clinical Health Act (HITECH) as part of the American Recovery and Reinvestment Act of 2009 (ARRA), signed into law by President Obama February 17, 2009



Share article on social media or email:

View article via:

Pdf Print

Contact Author

Emilie Moghadam
Email >

Joyce Lofstrom
Email >
Visit website