The recent study commissioned by Kroll Advisory Solutions
shows a clear increase in data breaches. 27% of the respondents stated they had
at least one security breach during the past year, this is up from 19% in
2010. Respondents indicated 79% were
attributed to employees, while many of the others were due to the actions of
outsourced or contract employees. More than half of the problems were
identified as unauthorized access to data, such a patient name and date of
birth, by an outside individual.
The survey found 27% of the respondents had at least one
security breach over the past year, up from 19% in 2010 and 13% in 2008. The
survey found 79% were attributed to employees, while most others were chalked
up to actions from outsourced or contract employees. Over half of the problems
were identified as "unauthorized access to information," typically
the patient's name and birth date, by an individual.
From the study it was reported that paper breaches including
improper destruction happened over 40% of the time. The survey reported that computer security
issues were increasing rapidly. This was
identified problems around the use or loss of laptops or portable handheld
devices 22% of the time. Data breach problems from third party vendors
retaining healthcare data rose to 10% up from 6% in 2010. The network breaches due to outside attacks
were reported about 3%.
From the report 31% felt that information available on a portable
device was a factor most likely to to contribute to the risk of a breach. In
2010 the estimate was 20%. Twenty two
percent of those who responded said the data was compromised when a laptop,
handheld device or computer hard drive was lost or stolen, which is twice the
number who said this in 2010.
The following is an excerpt from an article by Ellen Messmer
at Network World.
The report says the
vast majority of healthcare institutions conduct formal risk analysis, relying
mainly on federal guidelines such as CMS Meaningful Use requirements and the
National Institute of Standards and Technology. The goal is to comply with the
mandates of the American Recovery and Reinvestment Act of 2009, which includes
funding for healthcare records, and the HITECH Act, which contains penalties
for security lapses related to misuse of patient healthcare information.
The report says almost
all the survey's respondents had taken steps to prepare their hospitals and
medical centers for a possible federally-run Office of Civil Rights HIPAA
audit. Four percent had been audited and 90% in this case indicated they'd try
to prepare better in the future. Two percent of all respondents said their
organization had been fined as a result of a HIPAA violation.
The key here is in the very last sentence. Those
organizations that were fined for HIPPAA violations also faced the threat of
prolonged legal action. The organization
that does not take the steps to eliminate the risk gambles its own future. The cost of controlling the data is one
thing. The cost of protecting the data
is another that cannot be ignored.