U.S. health care organizations continue to be plagued with IT security breaches, but a reduction in actual incidents suggests recent efforts by in-house staff or IT outsourcing services to secure patient information are starting to pay off, according to results of a new study.
In the 24th Annual HIMSS Leadership Survey, released at a conference in New Orleans last week, 19 percent of respondents said their health care organizations had experienced some security breach in the previous 12 months. That was down from 22 percent in the 2012 study.
But security worries have actually grown in some areas. The respondents, 298 senior IT executives at health care companies across the country, also were asked to identify no more than two concerns they had regarding the security of electronic medical information.
BYOD Remains a Big Security Concern
No surprise: More than a third (36 percent) said security information on mobile devices was the top concern at their organization, up from just 6 percent a year ago. Compliance with HIPAA security regulations and CMS security audits was the top worry of 28 percent. Twenty-seven percent worry most about internal security breaches.
Concerns about health care IT security are nothing new. The Washington Post’s yearlong investigation of cybersecurity helped bring the problem to light with its finding that health care is among the most vulnerable industries. “I have never seen an industry with more gaping security holes,” computer scientist Avi Rubin told the paper. “If our financial industry regarded security the way the health-care sector does, I would stuff my cash in a mattress under my bed.”
According to the Department of Health and Human Services, 21 million patient records have been compromised in breaches since 2009. That figure doesn’t even capture the problem’s scope since only breaches of 499 or more records are reportable.
Health Care Industry Works to Secure Data
Findings like that – and tighter government regulations – got the industry’s attention. The HIMSS 2012 Security Survey, released in December, found that most health care organizations had increased their privacy and security budgets and looking for better IT security solutions.
Tony Hudock, director of developmental and technical operations at Dignity Health, attended the HIMSS conference last week and told the website healthitsecurity.com that his struggle is how to secure patient data without losing efficiency or integration. He also looked for a solution that helped him see the whole security picture in dashboard, he said.
“The ability to trace and track file submission is important. What happened with the legacy FTP side before, which was much more labor-intensive and no longer HIPAA compliant, was a data recipient may not have acknowledged that they received a file and part of the problem is that we have to account for the patient data,” Hudock said.