Despite Focus On Security Compliance, Provider Data Still Isn’t Secure

Posted on April 26, 2012 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

It looks like we’ve got a billion-dollar mismatch between rules and reality here. An established security research firm has released a study suggesting that while providers are working hard on meeting HIPAA and other security regs, their data isn’t any more secure than when it was before

Kroll’s 2012 HIMSS Analytyics Report: Security of Patient Data, concludes that the rate of  provider data breaches has been rising over the past six years, despite pressure on providers to conduct more security audits and otherwise tighten up their data ship.

What’s scary about this trend is that the healthcare institutions surveyed by Kroll don’t seem to be aware of the problem.  Health IT execs rated themselves at 6.4 out of 7 (seven being “extremely prepared’) on their readiness to address data security. That’s up from 6.06 in 2010 and 5.88 in 2008.

But the data Kroll gathered suggests that they’re overconfident at best. It found that 27 percent of respondents had reported a breach during the past twelve months, up from 19 percent in 2010  and 13 percent in 2008. Worse, of those who saw breaches, 69 percent of providers had seen  more than one breach.

Now, it would be easy to say that regs like HIPAA, Meaningful Use standards and the Red Flags rules are malformed, and that this is just another case of government getting it wrong to industry’s detriment. If there’s any truth to this notion, I do hope CMS leaders take notice and adjusts some of its requirements;  Heaven knows they’d get plenty of credible, carefully thought-out feedback if they ask.

Unfortunately, though, I suspect far from being that easy. We’d all love it if we could just follow the rules, get government approval then say “stick a fork in it, security’s done.”  But as readers know,  security is such a complex mix of implementing technologies and changing inappropriate behaviors that it’s hard to tease out just what went wrong sometimes.

Still, it’s good to have an organization like Kroll remind us that meeting HIPAA requirements isn’t the be all and end all.  Unfortunately, it’s really just the beginning.