The Ponemon Institute just released a new benchmark report on health data security and the findings are troubling. Health Data Management reports that the survey focused on adherence to HITECH Act privacy and security requirements; senior managers indicate that adherence is low. In fact, leaders at 65 provider organizations indicated that a significant number of organizations cannot properly secure patient data. Of course, this is not bode well for overall HIPAA compliance.
According to respondents, these security gaps result from a combination of factors. 71 percent of surveyed provider facilities reported inadequate resources, a lack of appropriately trained personnel and insufficient policies and procedures.
That said, compliance with the HIPAA Security Final Rule requires every covered entity (CE) and Business Associate (BA) conduct a foundational risk analysis (45 C.F.R. §164.308(a)(1)(ii)(A)) , identify security risks and implement measures “to sufficiently reduce those risks and vulnerabilities to a reasonable and appropriate level.”
Additionally, the HIPAA Security Final Rule Evaluation Standard (45 C.F.R. § 164.308(a)(8)) requires CEs and BAs to “Perform a periodic technical and non-technical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, which establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart.
Since February, almost 200 organizations have been posted to the HHS Wall of Shame for data breaches affecting 500 or more people in one geographic area. The healthcare sector is in the process of learning the hard way that an ounce of risk prevention is worth a pound of mea culpas.
We have assisted more than 400 customers to operationalize and mature their information privacy, security, compliance and information risk management programs. And in the process, we are raising the bar for safeguarding PHI, protecting millions of Americans and driving real value for the organizations we support and the healthcare industry at large.
Latest posts by Clearwater Compliance (see all)
- Bob Chaput to HealthcareInfoSecurity.com Podcast Listeners: Stop Focusing on the “Cyberthreat Du Jour,” Start Adopting a Risk Management “Long View” - April 27, 2017
- Clearwater Compliance’s IRM|Pro ™ Offers Expanded Enhancements to Address Evolving Hospital Cybersecurity Threats - April 4, 2017
- Cyber Contagions Knock Out Hospital Systems — Prompting Triaging of Cybersecurity to Code Red Status - July 19, 2016