During the Health Information Management and Systems Society 2008 conference in February, sixty four percent of those who took part in a survey said compliance and user access control were their top security concern.
User access and control still on the minds of hospital CIOs. HIPPA compliance also a concern. (IMG: UCLA)
The research was conducted with HIMSS attendees, including a cross-section of healthcare providers ranging from community hospitals to multi-hospital systems. The focus group and survey were developed to gain more insight into how healthcare providers view the importance of security and compliance efforts, especially in context of patient care and privacy priorities and increasing enforcement of HIPAA guidelines.
Among one-hundred thirty-six pre-screened HIMSS respondents, sixty percent reported issues with users sharing passwords, fifty-two percent found that orphaned user accounts were not properly disabled after employment was terminated and thirty-eight percent of respondents said there had been instances of inappropriate access.
While risk management issues are clearly viewed as a priority, a Courion-commissioned focus group conducted by HIMSS Analytics uncovered an increasing concern that the pressure to deploy comprehensive electronic medical record (EMR) systems is taking budget and resources away from other priorities – specifically security and compliance efforts.
“The HIMSS research supports an interesting dichotomy we’re seeing in the healthcare market today. With CIOs taking on increasing responsibility for risk management issues along with operations, security is being looked at more strategically by hospitals,” said Todd Chambers, chief marketing officer, Courion.
“But with limited budgets, it’s a challenge to prioritize. With more hospitals relying on remote and non-employee workforces, combined with the use of mobile and virtualization technology, the IT environment is increasingly difficult to secure, and without the enforcement of proper policies and checks and balances, audits will become increasingly difficult to pass.”
There is no doubt that HIPAA remains a primary driver of IT and security decision-making. In fact, according to the HIMSS attendee survey, seventy-five percent of respondents were concerned about facing a HIPAA audit and the majority of respondents (sixty percent) cited the threat of a HIPAA compliance audit as the strongest driver for their security initiatives.
There was an overriding sentiment, Courion reported, that compliance and security don’t become top priorities unless there is a security breach or the hospital is facing an external audit.
This reactive approach to compliance and security is an increasing concern, particularly as high-profile privacy breaches. (Recall the UCLA Medical Center and unauthorized access to medical records for Britney Spears) In fact, many of those who responded to the survey felt there was a sense of denial at the executive level about their facility actually being vulnerable to a security breach.
The survey found that over past year, the most common compliance vulnerabilities were; Users sharing passwords, orphan accounts left active and inappropriate access.
Sadly, like the survey results point out, while most hospitals conduct regular audits to determine if data has been compromised, audits alone do nothing to prevent a breach from happening in the first place.
When HIPAA was introduced, it is a wonder if IT was given any thought to the process of compliance. It would appear, at least when you look at the survey data, that compliance is still non-existent in some instances.
Related:http://www.thetechherald.com/article.php/200812/467/
Bill WeissMay 5th, 2008 - 12:55:21
Network security risks from Peer to Peer networks can not be stopped by firewalls or content filtering devices. Its very easy to leak patient information onto P2P networks, which can never be removed from the internet. We at safemedia developed a network appliance that total stops inadvertent file theft and protects Hospitals from over 650 P2P networks. It's really not a question of if you will lose patient data, but just a question of when. Our web site offers a free listing of all the threats. Stop a HIPPA audit before it happens.
Report this comment