Security Must be a Priority
The Ponemon Institute just released a new benchmark report on health data security and the findings are troubling. Health Data Management reports that the survey focused on adherence to HITECH Act privacy and security requirements; senior managers indicate that adherence is low. In fact, leaders at 65 provider organizations indicated that a significant number of organizations cannot properly secure patient data. Of course, this is not bode well for overall HIPAA compliance.
According to respondents, these security gaps result from a combination of factors. 71 percent of surveyed provider facilities reported inadequate resources, a lack of appropriately trained personnel and insufficient policies and procedures.
That said, compliance with the HIPAA Security Final Rule requires every covered entity (CE) and Business Associate (BA) conduct a foundational risk analysis (45 C.F.R. §164.308(a)(1)(ii)(A)) , identify security risks and implement measures “to sufficiently reduce those risks and vulnerabilities to a reasonable and appropriate level.”
Additionally, the HIPAA Security Final Rule Evaluation Standard (45 C.F.R. § 164.308(a)(8)) requires CEs and BAs to ”Perform a periodic technical and non-technical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, which establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart.
Since February, almost 200 organizations have been posted to the HHS Wall of Shame for data breaches affecting 500 or more people in one geographic area. The healthcare sector is in the process of learning the hard way that an ounce of risk prevention is worth a pound of mea culpas.