Governance & Risk Management , HIPAA/HITECH , Incident & Breach Response
Survey Shows Compliance Overconfidence2015 Healthcare Information Security Today Survey Results
With regulators gearing up to begin the next phase of HIPAA compliance audits, many covered entities appear to be overconfident about passing that scrutiny, according to the results of Information Security Media Group's latest Healthcare Information Security Today survey.
See Also: A Guide to Passwordless Anywhere
Nearly 80 percent of healthcare organizations that participated in the 2015 survey said they were confident or somewhat confident that they'd "pass" a HIPAA compliance audit by the Department of Health and Human Service's Office for Civil Rights with only minimal non-compliance issues.
But despite the strong confidence levels of most respondents when it comes to their organizations' compliance efforts, a closer look at other survey results shows that many covered entities are still falling short in applying key technologies and practices to protect patient data against many current and emerging cyberthreats, including measures called for by the HIPAA Security Rule.
For instance, the survey found:
- Only 75 percent of respondents say their organizations conducted a security risk assessment last year. The failure to conduct a thorough and timely risk assessment is the most common non-compliance issue that has been cited by OCR during HIPAA breach investigations - including some resulting in hefty financial settlements - and also in the agency's pilot HIPAA compliance audit program.
- Despite lost or stolen unencrypted devices being the biggest cause of major health data breaches reported to OCR since 2009, only 60 percent of surveyed organizations are requiring encryption on portable devices and media. And only about half require BYOD devices to be encrypted.
- Although OCR looks for documented evidence of HIPAA compliance efforts, less than 60 percent of surveyed organizations have a documented security strategy; most of the others say they are working on one.
"Having a documented information security plan is important because it serves as 'a roadmap,'" says Tom Walsh, founder of consulting firm tw-Security. "It's laying the foundation, the groundwork as far as where the security program will be going in the immediate future, as well as further out."
OCR recently began sending screening surveys to covered entities and business associates to identify potential candidates for the upcoming resumption of the audits. The office has been working on the next phase of its audit program since finishing up a pilot audit program in 2012, in which 115 covered entities were examined (see HIPAA Audits: Getting Ready).
Business Associate Risks
Many covered entities participating in the survey also appear to fall short in the management of their third-party vendors. Under the HPAA Omnibus Rule that went into effect in 2013, business associates and their subcontractors are directly liable for HIPAA compliance.
The survey found that only 26 percent of organizations have asked their BAs to provide a copy of a security audit, only 24 percent have obtained a copy of their BAs' security policies and just 15 percent have commissioned third-party validation of the BA's policies and procedures.
Privacy attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek, urges healthcare entities to be far more proactive with their BAs about security.
"Before you enter into an agreement with them or before you share or have any of your PHI provided to them, take steps to make sure that your vendor has the capability to safeguard your PHI by assuring that they have done the appropriate HIPAA security risk analysis," he says.
Covered entities also should ask about the security safeguards their business associates have in place, he urges. Plus, he advises healthcare organizations to "to make sure that you're only sending an amount of - or the type of - protected health information that is needed for [the business associate] to carry out their functions or responsibilities."
How confident is your organization that it would "pass" an HHS Office for Civil Rights HIPAA compliance audit with only minimal non-compliance issues noted?
Source: ISMG Corp.
Although confidence levels about HIPAA compliance appear to be high among the survey respondents, they, nevertheless, said their top information security priority for 2015 was improving regulatory compliance. That was followed by improving security awareness and training and preventing and detecting breaches. Those were also the top priorities in the two previous Healthcare Information Security Today surveys.
The focus on compliance by many healthcare entities may be misguided, says Cris Ewell, CISO of Seattle Children's Hospital. "I don't go after certain compliance levels," he says. "You just [need to] have a good information security program, and out of that, you have compliance."
The online 2015 Healthcare Information Security Today survey was conducted in December 2014 and January 2015. Respondents included about 200 CISOs, CIOs, directors of IT and other senior leaders at hospitals, integrated delivery systems, physician group practices, insurers and other healthcare organizations.
A comprehensive report with survey analysis is now available. Also available is a webinar featuring a panel of experts.