Data Security Not High On Hospitals Priority List

Fewer than half of large facilities conduct annual risk assessments, but that might have to change, according to CSC consultant.

Slideshow: Siemens Healthcare Data Center Virtual Tour
(click for larger image and for full slideshow)
New HIPAA data security requirements and the Meaningful Use criteria for the security of personal health information (PHI) make it essential for hospitals to beef up their security measures, says
a new report
from the CSC consulting firm. Yet according to a HIMSS study cited in the report, fewer than half of hospitals even do an annual security risk assessment.
According to the rules for stage 1 and the putative rules for stage 2 of Meaningful Use, CSC consultant Jared Rhoads writes in his report, institutions must conduct an annual risk analysis and correct any deficiencies by implementing the appropriate policies and technical capabilities.
Under the HITECH provisions of the American Recovery and Reinvestment Act, HIPAA security provisions are also being tightened. Proposed regulations--expected to be finalized this fall--require new breach notifications, extend security rules to business associates, further restrict the marketing and sale of PHI, and mandate annual risk assessments.
Yet
a HIMSS survey
of large healthcare organizations found that just 47% conduct risk annual assessments. Fifty-eight percent of the respondents had no staff members dedicated to security, and 50% spent 3% or less of organizational resources on security.
Rhoads wasnt surprised that so few hospitals put an intense focus on data security. Some hospitals think that security technology alone will protect them, but its a lot deeper than that, he told
InformationWeek Healthcare.
You have to have the right processes and do continual training and risk assessments.
Rhoads also points out that some hospitals might have been lulled into complacency because the government did not strictly enforce the HIPAA security rules until recently. But now the Office of Civil Rights (OCR) is taking a more aggressive stance toward enforcement. Starting later this year or early in 2012, OCR will start auditing organizations for compliance, he noted. Because of this, the new HIPAA regs, and the Meaningful Use requirement, he expects hospitals to step up their security efforts.
Not that hospitals havent been trying to improve their security. In
HIMSS 2011 Leadership Survey,
26% of responding CIOs said their organization had experienced a security breach in the past 12 months, slightly more than in the previous year. Thirty-six percent of respondents said this was their biggest security concern. The second largest number of respondents--30%--said that complying with HIPAA and CMS regulations was their biggest security issue. Lack of compliance with a business associate agreement was far down the list, with only 3% of respondents saying this was a major worry.
Rhoads said that it will be difficult for providers to police the security processes of their business associates--and it will be even more problematic if the HIPAA final rule also covers subcontractors of business associates, as proposed. He suggested that healthcare providers include language addressing security in their contracts with business associates. Also, he said, they should hold regular meetings with these entities to review their security policies.
Rhoads also recommended that hospitals encrypt their data, if they dont already. While the proposed HIPAA rule doesnt require that, it does say that encryption is addressable--meaning that if you dont encrypt data, you have to destroy it, according to the CSC consultant. Moreover, he noted, theres a safe harbor for encryption: If encrypted data is lost or stolen, the breach doesnt have to be reported in the same way as a breach of unencrypted data.
Two-factor authentication--using two different types of data to authenticate someone logging onto the system--is not going to be required any time soon, Rhoads said. But someday it might be required for remote access to a hospital system or for health information exchange, he added.
Find out how health IT leaders are dealing with the industrys pain points, from allowing unfettered patient data access to sharing electronic records. Also in the new, all-digital issue of InformationWeek Healthcare: There needs to be better e-communication between technologists and clinicians.
Download the issue now
. (Free registration required.)

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Data Security Not High On Hospitals Priority List