New Survey: Compliance is Job #1 in 2012

Healthcare Info Security Survey Outlines Unfinished Business
New Survey: Compliance is Job #1 in 2012
Improving regulatory compliance efforts is the No. 1 information security priority for healthcare organizations in the year ahead. That's a key finding of the inaugural Healthcare Information Security Today survey.

HealthcareInfoSecurity conducted the online survey of information security professionals and other senior executives, which was sponsored by Diebold and Experian Data Breach Resolution. A full report on all the results, featuring in-depth analysis, is now available.

The survey pinpoints many shortcomings in healthcare organization's information security efforts, including:

  • Twenty-six percent of organizations have yet to conduct a risk assessment, as mandated by HIPAA.
  • Forty-three percent grade their ability to counter information security threats as poor, failing or in need of improvement.
  • Less than half have a defined information security budget.
  • Twenty-five percent say the've experienced an information breach of any size that had to be reported to federal authorities. Some experts say a much larger percentage of organizations have likely experienced breaches, but they may be unaware of the incidents.

New Attitude

The ranking of regulatory compliance as the No. 1 priority for the coming fiscal year could signal a shift in attitudes about security, says attorney Adam Greene of the law firm Davis Wright Tremaine. "Executives are seeing large breaches of patient data on front pages, and it is suddenly becoming a much stronger incentive for them to allocate resources to information security," he says.

See Also: Eight Capabilities IT Pros Should Look for in a CASB

Plus, the Department of Health and Human Services' Office for Civil Rights has ramped up HIPAA enforcement, including fines imposed on such organizations as Massachusetts General Hospital and UCLA Health System for violations. And the office will launch a HIPAA audit program in 2012.

"It's becoming increasingly clear that the age of strictly voluntary compliance with respect to HIPAA has come to an end, and the threat of expensive settlements and corrective action plans with federal and state regulators is becoming an increasing reality," says Greene, who formerly was an official at the HHS Office for Civil Rights.

Increases in Security Spending

About 43 percent of organizations expect to spend more on information security in the coming fiscal year.

"As healthcare leaders discover how much more vulnerable their information systems are, and the real costs for breaches, the return on investment calculus is shifting," says Christopher Paidhrin, security compliance officer at PeaceHealth Southwest Medical Center in Vancouver, Wash. As more clinicians and others use mobile devices, "that alone will greatly increase vulnerability concerns and costs," he notes.

Security Training

In addition to improving compliance with the HITECH Act, HIPAA and other regulations, a top information security priority for the coming fiscal year is improving security awareness and education for physicians, staff, executives and board members, the survey shows.

About 43 percent of respondents grade the current effectiveness of their security training and awareness activities as poor, failing or in need of improvement.

"A lot of organizations did their initial HIPAA training as required, and that was pretty much the extent of the training they offered," says Terrell Herzig, information security officer at UAB Medicine in Birmingham, Ala.

Top Security Investments

Top technology investments for the coming year include audit logs/log management and mobile device encryption. Audit logs can help ward off internal threats to avoid HIPAA violations. And mobile device encryption is an important breach prevention measure, especially in light of the large number of major breach incidents that have involved the loss or theft of mobile devices.

Some 25 percent of survey respondents report their organization has experienced a breach of any size that had to be reported to the HHS Office for Civil Rights, as required under the HIPAA breach notification rule.

"I expect that far more than 25 percent of organizations are experiencing impermissible uses and disclosures of some size, which have the potential to cause reputational or financial harm to individuals," Greene says. "So either organizations' security practices are better than I thought, which is not really suggested by the rest of the survey responses, or organizations may not be looking very hard."

For complete survey results, and analysis, view the full report.


About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Howard J. Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 34 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.




Around the Network