Data security remains low priority for many healthcare facilities, says report

View all blog posts under Articles

Despite the passing of legislation and eligibility criteria introduced by the Centers for Medicare and Medicaid Services (CMS), the security of patient medical data remains a low priority for many healthcare facilities, according to a report published by the Computer Sciences Corporation’s (CSC) consultancy division.

Although the Healthcare Insurance Portability and Accountability Act (HIPAA) regulations and the CMS’ Meaningful Use federal financial incentives mandate that information security across medical informatics network be handled appropriately, the report by CSC indicates that fewer than half of the hospitals surveyed even undertook a data security assessment on an annual basis.

Many considerations relating to the security of patient medical information are presently being reviewed by federal agencies and committees, with final rulings expected in many instances by the end of this year. Issues currently being addressed include controversial proposals surrounding the disclosure of accountability errors in data breaches, encryption protocols, the relaxing of marketing restrictions, and the sale of patient health information.

The findings of the CSC report are backed by a similar survey that was conducted by the Healthcare Information and Management Systems Society (HIMSS), which suggested that 47 percent of large healthcare organizations conduct annual risk assessment surveys, which are required under HIPAA regulations. The report also indicates that 58 percent have no dedicated information security personnel, and that 50 percent responded that they spent less than 3 percent of their operational budgets on the security of patient medical data.

Jared Rhoads, a consultant for CSC and author of the report, told Information Week that many healthcare organizations had failed to take the HIPAA regulations seriously due to a lack of official enforcement. Now, he says, the Office of Civil Rights (OCR) has adopted a more aggressive stance on the enforcement and investigation of HIPAA regulations within major healthcare facilities. Rhoads said that he expects the OCR to begin auditing healthcare providers for regulatory compliance later this year.