Survey Reveals Over-confidence in HIPAA Compliance
With regulators gearing up to begin the next phase of HIPAA
compliance audits, many covered entities appear to be over-confident about
passing that scrutiny, according to the results of Information Security Media
Group’s latest Healthcare Information Security Today survey.
Nearly 80 percent of healthcare organizations that
participated in the 2015 survey said they were confident or somewhat confident
that they’d “pass” a HIPAA compliance audit by the Department of Health and
Human Service’s Office for Civil Rights with only minimal non-compliance
issues.
But despite the strong confidence levels of most respondents
when it comes to their organizations’ compliance efforts, a closer look at
other survey results shows that many covered entities are still falling short
in applying key technologies and practices to protect patient data against many
current and emerging cyber threats, including measures called for by the HIPAA
Security Rule.
For instance, the survey found:
●
Only 75 percent of respondents say
their organizations conducted a security risk assessment last year. The failure
to conduct a thorough and timely risk assessment is the most common
non-compliance issue that has been cited by OCR during HIPAA breach
investigations and also in the agency’s pilot HIPAA compliance audit program.
●
Despite lost or stolen unencrypted
devices being the biggest cause of major health data breaches reported to OCR
since 2009, only 60 percent of surveyed organizations are requiring encryption
on portable devices and media.
●
Although OCR looks for documented
evidence of HIPAA compliance efforts, less than 60 percent of surveyed
organizations have a documented security strategy. Most of the other organizations say they are
working on one.
Although confidence levels about
HIPAA compliance appear to be high among the survey respondents, they,
nevertheless, said their top information security priority for 2015 was
improving regulatory compliance. That was followed by improving security
awareness and training and preventing and detecting breaches. Those were also
the top priorities in the two previous Healthcare Information Security Today
surveys.
The online 2015 Healthcare
Information Security Today survey was conducted in December 2014 and January
2015. Respondents included about 200 CISOs, CIOs, directors of IT and other
senior leaders at hospitals, integrated delivery systems, physician group
practices, insurers and other healthcare organizations.
(ISMG website)
No comments:
Post a Comment