Physician Practices, Healthcare Organizations See Own Staff as Source of Security Breaches

Published Online: March 20, 2014
Tony Berberabe, MPH
Results from the final report of the 2013 Healthcare Information and Management Systems Society Security Survey suggest that physician practices and health care organizations such as hospitals view their own staff members as the greatest source of patient information and confidentiality security breaches. In fact, 80% of respondents noted that they were concerned that human-related factors would put data at risk.

In the survey, respondents were most likely to identify human-related factors such as individuals circumventing controls or disclosing information in error as the greatest area of concern. Respondents were least likely to identify loss of information integrity, such as database corruption, as a concern. The respondents used a scale from 1 to 7, where 1 was not perceived as a threat and 7 represented an area that was of highthreat concern.

A security breach from an insider remains a major challenge, according to the 283 information technology and information security professionals who responded to the survey. The survey was supported by Medical Management Association and sponsored by the Experian Data Breach Resolution.

To prevent staff’s prying eyes, hospitals and practices are adding technology to existing Information technology systems to prevent snooping into electronic records. These include user access controls and audit logs of each user’s access to patient health records. Additionally, two-thirds of respondents reported that they use at least 2 access control mechanisms, such as user-based and role-based access controls, for controlling employee access to data. Furthermore, the number of respondents indicating their organization is collecting and analyzing data from audit logs is also increasing. For instance, the number of respondents that report their organization analyzes data from their firewalls, applications, and servers has all increased in the past year.

Lastly, healthcare organizations are more frequently auditing their information technology security plan to ensure they are ready in the event that a breach—internal or external—takes place.

Other key survey results include:

• Risk Analysis: The number of respondents working for physician practices that reported their organization conducted a risk analysis increased from 65% in 2012 to 78% in 2013.

• Data Breach Response Plan: More than half of the respondents (54%) reported that their organization has tested their data breach response plan.

• Security Breaches: Nineteen percent of respondents reported that they had a security breach in the last year. The majority of these breaches involved fewer than 500 patients.

Three-fourths (79%) reported that they notified patients affected by the breach. Only 8% of respondents indicated that the security breach was the result of actions taken by a business associate.

Recommended Articles
Approximately 70% of all Medicaid beneficiaries receive their healthcare services through managed care, and state Medicaid programs are required to report encounter data to a national database, but 8 states did not during fiscal year 2011, according to a new government report.
ICLIO promises to guide oncologists in community care practices to navigate the growing field of immuno-oncology.
The report found that Medicare Part B spending per beneficiary in 340B hospitals was more than twice that of hospitals outside the program. Groups such as the Community Oncology Alliance have long warned that the 340B program, while essential, has grown beyond its original intent.
During this segment, the managed care stakeholders discuss drug spending in oncology and its relation to the overall cost of cancer care. Additionally, they consider which stakeholders should work with pharmaceutical companies during the early stages of drug development, and to what degree stakeholders should collaborate with pharma.
CMS has released additional guidance allowing for flexibility in claims auditing and quality reporting during the transition to the International Classification of Diseases, Tenth Revision and is working with the American Medical Association to educate providers.