Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec

US healthcare data vulnerability report.

Kroll : 09 April, 2008  (New Product)
Poor awareness and focus on other matters of medical privacy leaves US healthcare organisations lacking in the field of patient data privacy according to Kroll report.
The healthcare industry's focus on medical privacy and compliance has fostered a lack of awareness around the frequency, cause and seriousness of patient identity theft, according to the 2008 HIMSS Analytics Report: Security of Patient Data commissioned by Kroll Fraud Solutions, a leading provider of data protection and identity theft response services. The report reveals a significant blind spot that hinders hospital efforts to contain the problem and reduce risk.

"Healthcare facilities are complex environments where information is stored and shared in a number of ways that are critical to patient well-being," said Brian Lapidus, chief operating officer of Kroll Fraud Solutions. "Until healthcare organisations expand their data security measures to address the threat of data compromise as well as privacy and compliance, patients will continue to be at risk."

Key report findings include:

* Regulatory loopholes in data management standards allow data breaches to go unreported, preventing an accurate measurement of frequency.

- Only 56 percent of breached organizations surveyed notified the patients involved.
- On average, respondents ranked their familiarity level with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) at a 6.53 (on a scale of 1-7, with 7 being the highest) and nearly 75 percent claimed a familiarity level of 7.
- The high level of HIPAA familiarity stems from the commencement of audits and the resulting penalties for non-compliant facilities. The issue: HIPAA compliance is an insufficient proxy for risk mitigation.

* Security policies place a greater emphasis on preventing violation of privacy than preventing fraud and malicious intent.

- Of those respondents who experienced a fraud-related breach, 62 percent identified the type of the breach as unauthorized use of information, while 32 percent cited wrongful access of paper records.
- Noticeably absent were breaches attributed to malicious intent (ie, stolen laptops/computers, deliberate acts by unscrupulous employees, and cyber attacks through the Internet).

* Healthcare organisations lack appreciation for the costs of a breach.

- Only 18 percent of breached organisations surveyed believed there was a negative financial impact, even though the average cost of a breach is estimated to be as high as $197 per compromised record and $6.3 million per incident.

"The number one priority of US healthcare institutions is saving the lives of those in need and rightly so, I might add," said Lisa Gallagher, senior director of privacy and security for the Healthcare Information and Management Systems Society (HIMSS). "But patient safety extends beyond clinical care. This data tells us that organisations must also broaden their data security and Risk Management measures to address the threat of patient data breach."
Among the 13 percent of respondents who revealed that their facility had experienced a data breach:.

* 48 percent indicated that "reprimanding the employee" is effective breach response, while 11 percent offer "education" as a solution.
* 35 percent said that they did not change the organisation's security policy after the incident.
* Identity theft is three times as likely to happen at a larger facility (more than 100 beds) than a smaller facility (under 100 beds).

The report also indicates that healthcare organisations are focusing their security programs on employee education with nearly all respondents reporting that their organisations educate employees about the importance of maintaining patient data security. Almost 50 percent cited reprimanding or terminating the employee as an element of their organisations' breach response plan and 35 percent of breached organisations surveyed did not change their security policies after the incident.

"There's a dangerous assumption in the healthcare industry that education leads to policy implementation and change," said Mr Lapidus of Kroll. "Best practices in data security cannot be achieved by employee training alone. Organisations must make data security a part of their DNA, reflected in every aspect of business operations."

Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo