According to Forrester Research, while the financial services and retail industries struggled to comply with the stringent regulations around the security and privacy of their sensitive data, the healthcare industry mainly sat on the sidelines. It largely ignored many of the requirements laid out in HIPAA.
Why? “Because there were neither real incentives to comply with these requirements nor penalties for noncompliance, and nobody was enforcing HIPAA,” says Forrester researcher Khalid Kark. “Now, with the increased focus on healthcare IT and the $19 billion set aside for the adoption of electronic health records (EHRs), the healthcare industry has a real opportunity to embed security into its systems and processes – rather than bolting it on later.”
According to Forrester Research, while the financial services and retail industries struggled to comply with the stringent regulations around the security and privacy of their sensitive data, the healthcare industry mainly sat on the sidelines. It largely ignored many of the requirements laid out in HIPAA.
Why? “Because there were neither real incentives to comply with these requirements nor penalties for noncompliance, and nobody was enforcing HIPAA,” says Forrester researcher Khalid Kark. “Now, with the increased focus on healthcare IT and the $19 billion set aside for the adoption of electronic health records (EHRs), the healthcare industry has a real opportunity to embed security into its systems and processes – rather than bolting it on later.”
The risk of theft, improper access or accidental disclosure rises significantly when patient records are computerized, Kark says. A single security incident can result in the loss of thousands of records containing electronic patient health information (ePHI). Yet despite the steep risks, he adds, many healthcare providers struggle to offer rudimentary security controls to their organizations because:
Basic security technologies and processes are missing. Even the most advanced hospitals lack basic security tools, Kark contends, such as an intrusion-prevention system (IPS), or a rudimentary process such as incident management. Many chief information security officers (CISOs) in the healthcare industry struggle to get management’s attention and are typically operating on shoe-string budgets. This has led to poor security and privacy controls at a majority of healthcare and medical facilities across the country.
Security spending lags behind other leading industries. Forrester’s annual security survey reveals that spending in the healthcare sector is lower than in other regulated industries. “We found that the healthcare industry allocates 10.9 percent of the IT operating budget to security, whereas financial services firms spend 12.6 percent, retail companies spend 12.5 percent, and even government institutions spend 11.1 percent,” Kark says. “Although higher spending is not a proxy for better security, the spending numbers do point to the difficulty that healthcare CISOs have in getting sufficient budget to protect their organizations.”
Healthcare providers are moving to EHRs without considering the security implications. The economic stimulus bill provides incentives to healthcare organizations – especially smaller physician practices – to convert to electronic records by offering them $2 billion in grants and $17 billion in Medicaid and Medicare reimbursements. Forrester has observed that in the rush to convert to electronic health records, many companies are ignoring or delaying basic security requirements.
Hackers are increasingly targeting healthcare and medical facilities. According to the San Diego-based nonprofit organization Identity Theft Resource Center (ITRC), healthcare was responsible for 20.5 percent of exposed records in 2008. This totals more than seven million records, and is the second-highest percentage, behind only the government/military sector. “This is partly because this sector is an easy target with lax security controls and partly because the rewards of breaking into healthcare systems are increasing as healthcare providers keep a number of records in electronic form,” Kark explains.
