A new study from HIMSS Analytics and Kroll Advisory Solutions shows that, a diligent focus on security compliance notwithstanding, healthcare providers are still badly lacking when it comes to privacy protections. In fact, data breaches have only increased in recent years.

According to the 2012 "HIMSS Analytics Report: Security of Patient Data," increasingly stringent regulatory activity with regard to reporting and auditing procedures – and increased compliance from providers – haven't done anything to prevent an uptick in breaches over the past six years.

The report is the third iteration of Kroll’s biannual survey of healthcare providers nationwide.

Ironically, it shows increasing confidence on the part of its respondents – which included HIM directors, compliance officers, CIOs and more – that they're ready for data risks. On a scale of one to seven, with with one being “not at all prepared” and seven being “extremely prepared," respondents scored themselves an average of 6.40 – compared to 6.06 in 2010 and 5.88 in 2008.

But feeling like one is in adherence with policy prescriptions is not the same as actually protecting personal health information (PHI), says Brian Lapidus, senior vice president for Kroll Advisory Solutions.


"Organizations that have never dealt with one of these issues might think they're prepared," says Lapidus. "But when you get into the reality of actually handling the event, it becomes a whole different ballgame."

Indeed, 27 percent of respondents reported a security breach in the past year – well up from 19 percent in 2010 and 13 percent in 2008. More than two-thirds (69 percent) experienced more than one in the past 12 months.

Clearly, increased preparedness is not synonymous with increased security, says Lapidus. More often than not, providers are "prioritizing compliance over security," he says. "Where we are, with meaningful use and the incentives that come with that, those statutes are really tied more to compliance than they are to security."

Sure, there are security factors built in to the HITECH Act, he adds, "but because the incentive is focused on complying with EHR conversion and meaningful use, I think security might be taking a little bit of a backseat."

That said, the survey did find that that a robust 96 percent of respondents reported conducting a formal risk analysis at their organization in the past 12 months. A good start, says Lapidus – but not enough, in and of itself.

[See also: Risk assessments leave hospitals hamstrung.]

"Risk assessment is the tip of the sword," he says. "And the depth of of that assessment, that analysis, is going to vary from organization to organization. Some use it as a starting point for a deeper dive. They do the risk assessment, they understand their vulnerabilities, and then they use that assessment and the results that come from it as a work list with which they, organizationally, can go through and start working on each of these vulnerable areas."

At the other end of the spectrum, says Lapidus, "you have people who do the risk assessment and say, 'Great, I've done it, this is my checkbox for meaningful use Stage 1, and away we go.'"

That's not enough. The HIMSS/Kroll study offers ample evidence that healthcare is being buffeted by significant and fast-evolving security threats these days – and shows why it's imperative for healthcare organizations to take a proactive and nimble approach to ensuring their patients' personal health information is protected.

(Continued on page 2)