Among the findings of the 2012 "HIMSS Analytics Report: Security of Patient Data," one of the most salient is that human error still poses the greatest risk to data security.

• In 2012, 79 percent of respondents reported that a security breach was perpetrated by an employee.
• Fifty-six percent of respondents indicated that the source of a reported breach was unauthorized access to information by an individual employed by the organization at the time of the breach.
• Forty-five percent of respondents indicated that lack of staff attention to policy puts data at risk – an increase of 14 percent from 2010.

Another significant takeaway is that mobile devices might be great for giving clinicians information at the point of care – but they're not so good at keeping PHI safe. Nearly a third (31 percent) of respondents indicated that information available on a portable device was among the factors most likely to cause a breach (up from 20 percent in 2010 and four percent in 2008).

Mobile represents a "whole new world," says Lapidus. Once upon a time, organizations were worried enough about "keeping their desktops and laptops secure" – and now you have employees bringing mobile phones into the office that also happen to be computers.

"They're going to be a continuing cause of security issues," he says. "The proliferation of them, and and the expansion of the amount of data they store, makes it easy to get data in and out of your organization. You have to be mindful of people bringing things that are innocuous into the workplace and using them to access data."

Lapidus adds that, "I don't think we know yet how organizations are going to truly manage it, other than making sure mobile is part of their policy and procedures."

[See also: Security takes backseat to meaningful use.]

Third parties pose another big problem. With providers lacking the resources to deal with a multitude of demands, outsourcing of patient data is increasing – and so are third party breaches. Nonetheless, security practices aren't doing an adequate job keeping up with this new state of affairs, the survey finds:

• Eighteen percent of respondents that experienced a breach in the past 12 months cited third parties as the root cause.
• Twenty-eight percent of respondents indicated that “sharing information with external parties” is the top item that put patient data at risk (up from 18 percent in 2010 and 6 percent in 2008).
• Half of respondents noted that they required proof of employee training from third parties.
• A little more than half (56 percent) indicated they require proof of employee background checks.
• The same percentage of respondents said they verify that their third party vendors conduct a periodic risk analysis to identify security risks and vulnerabilities.

"There are numerous reports of security breaches that have taken place as a result of the actions taken by business associates handling identifiable health information”, said Lisa Gallagher, senior director of privacy and security for HIMSS, in a written statement. "Healthcare organizations need to ensure that their business associates are taking every precaution to safeguard this information … background checks, employee training and continued monitoring of policies and procedures are steps all covered entities should ensure are taken by their business associates.”

"It's a critical aspect, and one that's often overlooked," adds Lapidus. "Organizations outsource plenty of services." Employee benefits, for instance – in which case, "that third party has access to your employee's PII [personally identifiable information] – and maybe their PHI. When they chose that employee benefit provider, was the chief compliance officer involved? Was the chief information security officer involved? I would say it's doubtful."

In other words: Is security the first lens organizations are looking through when sharing their data with third parties? "I don't think it is, and I think it should be," he says. "It requires everybody to have a risk-minded approach."

[See also: Red Flags a ‘no brainer’ say experts.]

Yet another discouraging finding of the HIMSS/Kroll study is that there's still little clarity in most organizations about just who is responsible for data security. Asked who held that role, respondents' answers ranged widely, from HIM director (21 percent) to CIO (19 percent) to chief security officer (10 percent) to chief privacy officer, chief compliance officer and CEO (12 percent each).

"You have 'responsible,' and you have 'accountable' – those are the two pools of people," says Lapidus. "In my mind, the executive board of the organization is responsible, from the CEO to everyone else in the C-suite."


The problem, though, is that "shared responsibility can sometimes lead to a lack of accountability."

Lapidus says he believes that everyone in that C-Suite – "chief information security officer, chief compliance officer, chief privacy officer, general counsel and CIO" – is "accountable for making sure this happens, each in their own way. They should be linked in arms, doing everything they can to protect patient data."


(Continued on page 3)