Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/12/2011
01:36 PM
50%
50%

Data Security Not High On Hospitals' Priority List

Fewer than half of large facilities conduct annual risk assessments, but that might have to change, according to CSC consultant.

Slideshow: Siemens Healthcare DataCenter Virtual Tour
Slideshow: Siemens Healthcare Data Center Virtual Tour
(click for larger image and for full slideshow)
New HIPAA data security requirements and the Meaningful Use criteria for the security of personal health information (PHI) make it essential for hospitals to beef up their security measures, says a new report from the CSC consulting firm. Yet according to a HIMSS study cited in the report, fewer than half of hospitals even do an annual security risk assessment.

According to the rules for stage 1 and the putative rules for stage 2 of Meaningful Use, CSC consultant Jared Rhoads writes in his report, institutions must conduct an annual risk analysis and correct any deficiencies "by implementing the appropriate policies and technical capabilities."

Under the HITECH provisions of the American Recovery and Reinvestment Act, HIPAA security provisions are also being tightened. Proposed regulations--expected to be finalized this fall--require new breach notifications, extend security rules to business associates, further restrict the marketing and sale of PHI, and mandate annual risk assessments.

Yet a HIMSS survey of large healthcare organizations found that just 47% conduct risk annual assessments. Fifty-eight percent of the respondents had no staff members dedicated to security, and 50% spent 3% or less of organizational resources on security.

Rhoads wasn't surprised that so few hospitals put an intense focus on data security. Some hospitals think that security technology alone will protect them, "but it's a lot deeper than that," he told InformationWeek Healthcare. "You have to have the right processes and do continual training and risk assessments."

Rhoads also points out that some hospitals might have been lulled into complacency because the government did not strictly enforce the HIPAA security rules until recently. But now the Office of Civil Rights (OCR) is taking a more aggressive stance toward enforcement. Starting later this year or early in 2012, OCR will start auditing organizations for compliance, he noted. Because of this, the new HIPAA regs, and the Meaningful Use requirement, he expects hospitals to step up their security efforts.

Not that hospitals haven't been trying to improve their security. In HIMSS' 2011 Leadership Survey, 26% of responding CIOs said their organization had experienced a security breach in the past 12 months, slightly more than in the previous year. Thirty-six percent of respondents said this was their biggest security concern. The second largest number of respondents--30%--said that complying with HIPAA and CMS regulations was their biggest security issue. Lack of compliance with a business associate agreement was far down the list, with only 3% of respondents saying this was a major worry.

Rhoads said that it will be difficult for providers to police the security processes of their business associates--and it will be even more problematic if the HIPAA final rule also covers subcontractors of business associates, as proposed. He suggested that healthcare providers include language addressing security in their contracts with business associates. Also, he said, they should hold regular meetings with these entities to review their security policies.

Rhoads also recommended that hospitals encrypt their data, if they don't already. While the proposed HIPAA rule doesn't require that, it does say that encryption is "addressable"--meaning that if you don't encrypt data, you have to destroy it, according to the CSC consultant. Moreover, he noted, there's a safe harbor for encryption: If encrypted data is lost or stolen, the breach doesn't have to be reported in the same way as a breach of unencrypted data.

Two-factor authentication--using two different types of data to authenticate someone logging onto the system--is not going to be required any time soon, Rhoads said. But someday it might be required for remote access to a hospital system or for health information exchange, he added.

Find out how health IT leaders are dealing with the industry's pain points, from allowing unfettered patient data access to sharing electronic records. Also in the new, all-digital issue of InformationWeek Healthcare: There needs to be better e-communication between technologists and clinicians. Download the issue now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Malware Attacks Declined But Became More Evasive in Q2
Jai Vijayan, Contributing Writer,  9/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4629
PUBLISHED: 2020-09-30
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a local user with specialized access to obtain sensitive information from a detailed technical error message. This information could be used in further attacks against the system. IBM X-Force ID: 185370.
CVE-2019-17098
PUBLISHED: 2020-09-30
Use of hard-coded cryptographic key vulnerability in August Connect Wi-Fi Bridge App, Connect Firmware allows an attacker to decrypt an intercepted payload containing the Wi-Fi network authentication credentials. This issue affects: August Connect Wi-Fi Bridge App version v10.11.0 and prior version...
CVE-2020-15731
PUBLISHED: 2020-09-30
An improper Input Validation vulnerability in the code handling file renaming and recovery in Bitdefender Engines allows an attacker to write an arbitrary file in a location hardcoded in a specially-crafted malicious file name. This issue affects: Bitdefender Engines versions prior to 7.85448.
CVE-2020-5132
PUBLISHED: 2020-09-30
SonicWall SSL-VPN products and SonicWall firewall SSL-VPN feature misconfiguration leads to possible DNS flaw known as domain name collision vulnerability. When the users publicly display their organization’s internal domain names in the SSL-VPN au...
CVE-2020-15216
PUBLISHED: 2020-09-29
In goxmldsig (XML Digital Signatures implemented in pure Go) before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. A patch is available, all users of goxmldsig should upgrade to at least revisio...