What do survey statistics say about healthcare’s attitude toward HIPAA?

Tod Ferran, CISSP, QSA
By: Tod Ferran
Not many studies have been done on HIPAA and how it’s been applied in healthcare. Especially among smaller entities.

SecurityMetrics interviewed over 100 small medical offices about their HIPAA situation in a short survey, and found three main themes.

1. HIPAA is not a priority

HIPAA Compliance TrendsNo big surprise here. Many smaller healthcare professionals mistakenly believe they are exempt from HIPAA, or that it’s worth it to roll the dice with the Department of Health and Human Services (HHS). According to SecurityMetrics’ survey, 45% of them do not have a formal HIPAA Risk Analysis Report and Risk Management Plan, which are the two most basic and crucial elements of HIPAA compliance.

SEE ALSO: You May Not Be Done With Your HIPAA Requirements

However, I am glad to see that 80% of the offices have designated a HIPAA Privacy and Security Officer. That’s a great first step. I’m also glad to see that only 13% of the offices had protected health information (PHI) viewable by patients on receptionist counters or computer monitors, etc.

SEE ALSO: How Much Does a HIPAA Risk Management Plan Cost?

2. Security is important, but not fully understood

Some healthcare providers have a deep desire to be secure. They have their patients’ best interest at heart. But…many just don’t get security or don’t have the technical expertise to implement the requirements.

A great example of this is computer timeouts. Security best practice states that all office computers should automatically enable a screensaver that requires a password after a period of inactivity. What would happen if a physician left his workstation computer unattended without a screensaver? People could very easily gain access to patient data.

Unfortunately, at the time of the survey, 22% had empty workstations with computers that hadn’t timed out or been logged out.

Here’s another scenario.

I know sharing is caring, but not when it comes to PHI security. 18% of offices stated that their employees share login IDs or passwords. The biggest problem with sharing passwords is this: If your organization is accused of illegally accessing patient information, how do you track which of your employees accessed a patient’s information if they all use the same username and password?
Individual logins keep employees honest and companies transparent.
Learn how to make sure your password is HIPAA compliant here.

Throughout the survey, a few great bits of news gave me hope for the security of the healthcare industry. Only 6% of offices would simply throw away or recycle documents containing PHI, instead of properly disposing of them.

And only 10% of offices have personal mobile devices connected to the business network with unencrypted PHI. I would love this number to be 0, but the fact that 90% of offices do not allow their employees to connect to the business network on their mobile devices makes me, as a security professional and potential or existing patient, very happy. (Check out this blog post for more information on mobile PHI security.)


3. Training is not a priority

What we found out about training actually surprised me. I thought for sure most, if not all, offices would have a formal training program for employees, especially since training is also part of the HIPAA Privacy Rule. But over a third (36%) of offices haven’t formally trained their employees on HIPAA compliance in the last year, or weren’t sure the last time they did training.

Arguably the second most important part of training (and another HIPAA requirement) is the documentation of each employees’ training, but virtually the same amount of offices (35%) do not have documentation of each employee’s HIPAA Privacy and Security training.

SEE ALSO: Security Awareness Guidance

This next statistic is a great example of bad security training, no matter what industry you’re in. 17% of offices had sticky notes, notepads, calendars, etc. that contained passwords, usernames, or PHI. Arg! This is security 101 people!


HIPAA security has been overlooked

Overall, I’m not that surprised at the results of the survey. They coincide with what I see every day on HIPAA audits around the country. But, I do have hope. As more and more organizations are audited by the HHS, or hacked, I think we will see better HIPAA security practices among both large and small healthcare organizations.

What do you think? Do you agree with what our survey found?

Tod Ferran (CISSP, QSA) is a Mensa aficionado, Cancun expert, and Security Analyst for SecurityMetrics with over 25 years of IT security experience. In addition to his many speaking engagements and webinars, he provides security consulting, risk analysis assistance, risk management plan support, and performs security, HIPAA, and PCI compliance audits. Connect with him for recommendations on excellent places to stay, activities, and restaurants in Cancun, or check out his other blog posts here.

21 Day Plan for HIPAA Compliance