Physician Practices, Health Care Organizations See Own Staff as Source of Security Breaches

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.onclive.com/news/Physician-Practices-Health-Care-Organizations-See-Own-Staff-as-Source-of-Security-Breaches

Results from the final report of the 2013 Healthcare Information and
Management Systems Society (HIMSS) Security Survey suggest that physician
practices and health care organizations such as hospitals view their own
staff members as the greatest source of patient information and
confidentiality security breaches. In fact, 80% of respondents noted that
they were concerned that human-related factors would put data at risk.

In the survey, respondents were most likely to identify human-related
factors such as individuals circumventing controls or disclosing
information in error as the greatest area of concern. Respondents were
least likely to identify loss of information integrity, such as database
corruption, as a concern. The respondents used a scale from one to seven,
where one was not perceived as a threat and seven represented an area that
was of high threat concern.

A security breach from an insider remains a major challenge, according to
the 283 information technology and information security professionals who
responded to the survey. The survey was supported by Medical Management
Association and sponsored by the Experian Data Breach Resolution.

To prevent staff's prying eyes, hospitals and practices are adding
technology to existing IT systems to prevent snooping into electronic
records. These include user access controls and audit logs of each user's
access to patient health records.

Additionally, two-thirds of respondents reported that they use at least two
access control mechanisms, such as user-based and role-based access
controls, for controlling employee access to data. Furthermore, the number
of respondents indicating their organization is collecting and analyzing
data from audits logs is also increasing. For instance, the number of
respondents that report their organization analyzes data from their
firewalls, applications, and servers has all increased in the past year.

Lastly, health care organizations are more frequently auditing their IT
security plan to ensure they are ready in the event that a breach --
internal or external -- takes place.

Other key survey results include:

- Risk Analysis: The number of respondents working for physician practices
that reported their organization conducted a risk analysis increased from
65% in 2012 to 78% in 2013.
- Data Breach Response Plan: More than half of the respondents (54%)
reported that their organization has tested their data breach response plan.
- Security Breaches: Nineteen percent of respondents reported that they had
a security breach in the last year. The majority of these breaches involved
fewer than 500 patients. Three-quarters (79%) reported that they notified
patients affected by the breach. Only 8% of respondents indicated that the
security breach was the result of actions taken by a business associate.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!