News Feature | November 4, 2014

Small Healthcare Facilities Unprepared For Data Breach, Study Reveals

By Megan Williams, contributing writer

Small Healthcare Facilities Unprepared For Data Breach, Study Reveals

Your smaller healthcare IT clients might be in trouble, according to a study from CSID, a leading provider of global identity protection and fraud detection technologies.

According to the study, the small facility market is presenting solutions providers with an opportunity to not only find new clients in need of data security services, but also in the area of risk assessment for clients who may not realize their current risks.

Key Findings

Even with healthcare breaches increasing (especially on the international front), and the FBI issuing warnings about the industry-specific threats that the healthcare industry faces, the CSID survey still revealed that the majority of smaller healthcare facilities feel that they are adequately prepared and protected against breaches. This sentiment comes at the same time that one in three of those facilities is spending less than 10 percent of their IT budget on patient data protection.

No Worries

It appears that the reality of the risk of data breaches hasn’t reached smaller organizations, with only 16.7 percent indicating they are concerned about losing patient data as a result of a breach, and less than one third (28.6 percent) having a crisis plan in place to react.

Password Problems

On the bright side, most of the responding facilities (81 percent) did indicate they require strong passwords to access any systems that host sensitive information and also exercise control over who has access to EHRs (electronic health records). Still, only one-third use multi-factor authentication, and only one-quarter audit and vet vendors that access patient data.

Access Issues

The survey also revealed that half of employees who have access to EHRs, also have access to their personal email at their job. While not an obvious breach, this outlet makes it easy for patient data to be sent outside of a facility’s systems without being tracked.

President of CSID, Joe Ross weighed in on the situation: “With the rise of electronic medical records, one weak link can be devastating for the whole system. This survey shows that smaller healthcare facilities may not have adequate resources or know-how to protect patient data, potentially putting these entities and their patrons at risk. It is going to be increasingly important for all healthcare facilities to proactively protect against medical data theft by implementing stronger security protocols and having a breach plan in place. Our goal here is to help them do this.”

Risk Assessment Resources

Any client exhibiting issues like these is overdue for a risk assessment. HIMSS has recently launched a toolkit containing resources designed to help you get started understanding assessments and helping your clients develop a comprehensive security program. The toolkit (available here) contains the following documents available for download.

  • Introduction to the Risk Assessment Toolkit and Security Risk Assessment Basics
  • HIMSS Security Risk Assessment Guide/Data Collection Matrix
  • How to use the HIMSS Security Risk Assessment Guide/Data Collection Matrix
  • Sample Risk Assessment for Cloud Computing
  • Sample Risk Assessment for a Physician Practice