Healthcare organizations may be lulling themselves into a false sense of security when it comes to data security, according to a biannual report from HIMSS Analytics.
The white paper, commissioned by Nashville, Tenn.-based Kroll Fraud Solutions, says respondents gave their organizations high marks--an average of 6 on a scale of 1 to 7--for compliance with HIPAA, state security laws, CMS regulations and the Federal Trade Commission's "Red Flags" rule for identity theft, and a score of 5.75 for compliance with new security requirements of the HITECH Act portion of the American Recovery and Reinvestment Act. Despite these high ratings, 19 percent of organizations reported having a data breach in the past 12 months, up from 13 percent in 2008.
Reasons for this may be that organizations continue to view security in silos. Some 87 percent of respondents said they have policies to monitor access to and sharing of electronic health information, but most of the reported breaches had more to do with carelessness than technology--stolen laptops and back-up tapes, as well as improper document disposal.
"On one hand, healthcare organizations are demonstrating increased awareness of the state of patient data security as a result of heightened regulatory activity and increased compliance," Kroll COO Brian Lapidus tells Health Data Management. "On the other, organizations are so afraid of being labeled 'noncompliant' that they overlook the bigger elephant in the room, the still-present risk and escalating costs associated with a data breach. We need to shift the industry focus from a 'check box' mentality around compliance to a more comprehensive, sustained look at data security."