Healthcare News & Insights

3 critical security best practices not required by HIPAA

With HIPAA and the HITECH Act, healthcare providers must follow a lot of regulations for protecting patient data. However, a new study says many organizations may be focusing too much on compliance and missing other critical best practices. 

Health data is incredibly valuable to criminals. As a result, health care is one of the industries frequently targeted by hackers.

That’s even more the case now than been, as electronic health records (EHRs) have made health data more mobile and accessible, and the use of mobile devices has created more opportunities for staff members to lose data or have it stolen.

Because of those and other factors, the number of data breaches involving patient health information is rising — and quickly. In the past 12 months, 27% of healthcare organizations have suffered at least one data breach, according to the recently published 2012 HIMSS Analytics Report: Security of Patient Data, commissioned by Kroll Advisory Solutions.

That’s significantly more than the 19% that reported the same in 2010, and more than twice as many as in a 2008 survey (13%). And the actual number of breaches suffered in the past year may be higher, as 18% of organizations weren’t sure if any breaches had occurred.

But despite the increasing prevalence of breaches of health data, organizations actually believe they’re less likely to suffer a breach now than in the past. When asked to rate their security readiness on a scale of one to seven, the 250 organizations surveyed gave an average answer of 6.40. That’s compared to 6.06 in 2010 and 5.88 in 2008.

The reason for the disconnect, according to researchers: Organizations are focused more on complying with regulations than actually keeping patient data secure.

Of the organizations that suffered a breach, just 25% said the incident triggered a change in security practices. In contrast, 73% said changes in laws such as HIPAA and HITECH drove security changes.

The focus on compliance rather than data protection is particularly evident in the ways organizations deal with third-party vendors that store and access patient information. As cloud computing becomes more popular in healthcare, more data breaches involve third parties, and organizations must be diligent about making sure information is protected when it’s in someone else’s hands.

However, the survey found that, when dealing with third parties, most organizations met legal requirements, but many missed some critical best security practices not mandated by the law, such as:

  1. Requiring third-party vendors to conduct periodic risk assessments — Just about half (56%) of respondents ask vendors that hold sensitive medical data to run those assessments.
  2. Validating third parties’ workforce — The same number (56%) of organizations require proof of employee background checks from third parties. As many data breaches are carried out by insiders, it’s important for organizations to make sure their own employees and third-party employees are properly screened.
  3. Making sure third parties’ employees are trained — Most organizations conduct some kind of training to make sure employees work securely. However, just 50% require third parties to verify that their employees have been trained.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.