The prognosis for healthcare data security? Slowly, if ever so slowly, getting better. The fifth annual Healthcare Information and Management Systems Society (HIMSS) Security Survey finds the industry making positive improvements in some key areas.
That’s not to say there isn’t room left to improve. Survey respondents ranked the maturity of their security environments an average of 4.64 on a scale of one to seven (one being not at all mature and seven very mature). Given this and the high costs and frequency of medical breaches, it’s vital for organizations to continue making strides toward better data security. Here are five signs from the 2012 survey, sponsored by Experian® Data Breach Resolution, that indicate they are doing just that:
- Hospitals lead by example
Overall, hospitals are further along than private practices in implementing and managing data security. For example, 74 percent of hospitals audit their IT security plans compared to 56 percent of medical practices. Considering hospitals serve a larger volume of patients and manage more data, this is a positive note. One that can set a good example for private practices to follow. Even still, hospitals are more likely to report cases of medical identity theft and security breaches than practices. This is likely a reflection of their larger patient populations and staffs – employees at any organization are a threat to data security. - More frequent risk analyses
Approximately the same percentage of organizations are conducting risk analyses in 2012 as 2008 (77 and 78 percent, respectively). The good news is that they are doing so with greater frequency. In 2008, when the study was first conducted, 54 percent conducted an annual risk analysis. In 2012, the figure jumped to 64 percent. Frequent analyses are important. Organizations can’t put a security system in place and consider the job done. Risks are constantly evolving, and so must an organization’s security measures. Another positive note: Only three percent of respondents reported not addressing a lack of security controls uncovered in a risk analysis. Nearly half corrected the issues within six months. - Multiple security tools in place
In looking at 16 types of security tools, from electronic signatures to wireless protocols, the average healthcare organization uses nine different ones to bolster data security. Firewalls, access controls and audit logs are the most-used tools, giving organizations protection from both internal and external threats. When it comes to access controls, user- and role-based controls are the most popular. Group-, location- and rule-based controls see significantly less usage. The very fact that organizations are taking advantage of multiple tools points to an understanding that data security requires a multilateral approach. Looking into the future, organizations will be more likely to add disaster recovery and data loss prevention tools to their arsenals rather than biometric technology. - Encryption becoming more commonplace
While encryption doesn’t top the list of security tools in use today, it has become more commonplace. In 2008, 55 percent of organizations encrypted emails and nearly 64 percent do today. Laptops are the most likely device to be encrypted, even more so than desktop computers, which fall at the bottom of the list for hospitals. Mobile devices, such as monitoring devices, are the least likely to be encrypted at a medical practice. Surprisingly, just less than 50 percent of organizations encrypt back-up tapes. This seems worrisome given that these are often easily portable and therefore a cinch to steal. Not to mention back-up tapes can aid the data breach investigation process and should therefore be more highly safeguarded.
- Data breach response plans a priority
Even while using multiple security tools and conducting frequent risk analyses, healthcare organizations can still experience a breach. So it’s encouraging to know that nearly all of the surveyed organizations have a response plan in place or are currently developing one. Less than one percent reported they do not have a current plan or any agenda to put one in place. Data breach response plans allow organizations to act quickly and efficiently when an incident occurs, eliminating the deer-in-headlights period of inaction that can cost an organization valuable time and money. With one-fourth of respondents reporting a breach in the past year, response plans are certainly not optional. They are necessary.
It’s heartening to see signs that the healthcare industry is being more proactive about data security. Only time will tell if the efforts will influence a drop in medical breaches or if incidents will continue to skyrocket. There’s been a lot of “it’s only going to get worse before it gets better” talk, and that may still be the case. But organizations do appear to be making progress. Let’s hope it continues in 2013 and beyond.
Click here to download a free copy of the 2012 HIMSS Security Survey.
Michael Bruemmer is Vice President of Experian® Data Breach Resolution at Experian Consumer Direct, the leading provider of online consumer credit reports, credit scores, credit monitoring, other credit-related information, and protection products.
With more than 25 years in the industry, Michael brings a wealth of knowledge related to business operations and development in the identity theft and fraud resolution space where he has educated businesses of all sizes and sectors through pre-breach and breach response planning and delivery, including notification, call center and identity protection services.
