Checking regulatory boxes does not mean greater patient data security, survey finds

A majority of respondents said they are devoting the most time to Health Insurance Portability and Accountability (HIPAA) compliance procedures. Other regulations that are taking up compliance time are Health Information Technology for Economic and Clinical Health (HITECH) and various state patient privacy laws and regulations, according to the survey of 107 IT administrators, managers and C-level executives from healthcare organizations of various sizes.

“You would think with all the time being developed to compliance, we would have a reduction in breaches. But unfortunately, one-third of respondents said they had a patient records breach with the past two years. I would hypothesize that many wouldn’t admit to breaches or there are probably even more who aren’t aware that they’ve had a breach”, said Lila Kee, chief product officer at GlobalSign.

A full 33% of respondents believe that patient records data breaches that cost organizations at least $100,000 are happening on a weekly basis, the survey found.

“All the big headlines about fines are rattling people’s cages and getting their attention”, Kee told Infosecurity.

Earlier this year, the Department of Health and Human Services levied millions on dollars in fines on healthcare organizations for violations of the HIPAA privacy rule, including a $1 million fine on Massachusetts General Hospital for a data breach affecting 193 patients.

The survey also found that a surprising 79% of respondents said they find it “moderately to extremely difficult” to find applications that will improve information security and regulatory compliance.

“Not only is information security not the core expertise [of healthcare organizations], I don’t think they have the internal expertise to sort through the information about compliance and solutions”, Kee said.

At the same time, 37% of respondents spend no more than 25% of their work weeks devoted to improving data security and privacy.

“I think organizations are making sure that they check the boxes for compliance, but I’m not sure that they are pursuing the ultimate objective of making sure patient records are protected”, she concluded.

What’s hot on Infosecurity Magazine?