How did healthcare do with HIPAA in 2016? 

Read our 2017 SecurityMetrics Guide to HIPAA Compliance.

You can find the SecurityMetrics 2018 HIPAA Guide here.

By: Brand Barney
Security Analyst
2016 has seen many reported data breaches, many of which were healthcare related. Does this mean that healthcare has gotten worse in data security and HIPAA compliance? Not necessarily.

We wanted to find out how healthcare was doing with HIPAA, so we conducted several surveys from over 150 healthcare professionals (who were responsible for HIPAA compliance) across the nation, primarily from organizations with fewer than 500 employees. They were asked questions ranging from overall HIPAA compliance status to specific elements of the Security Rule. Here’s what we found out:

Patient data security 

healthcare securityAccording to our surveys, 38% of respondents don’t know if they encrypt data, and 50% don’t know multi-factor authentication. These two practices are critical in protecting patient data.
if their organization uses

Unsecured remote access is still the #1 pathway hackers use to steal data.  Organizations that use remote access need to secure it properly through multi-factor authentication and limiting user access.  It’s also important to encrypt any sensitive data. Should it be stolen, that data is essentially useless to the hacker.

HIPAA Firewalls

With firewalls, while most organizations have one in place, 41% don’t know how often their firewall rules are reviewed, and 37% don’t know whether or not they store firewall logs.

Firewalls aren’t plug-and-play technology. Organizations need to make sure all their rules are configured properly, and that someone is consistently reviewing logs. If your firewall isn’t working properly, it can negate any effect it had on your security.

SEE ALSO: Firewalls 101: 5 Things You Should Know

Mobile device security 

With the widespread use of mobile devices in healthcare, many organizations haven’t taken proper steps to secure their devices or the data on those devices. Only 41% of respondents have a mobile device policy, and only 21% use mobile encryption.

Many of the recent data breaches have been related to stolen/lost mobile devices, so organizations should start worrying about securing those more and make sure they have a mobile security strategy in place. Having a mobile device policy in place, and making sure no personal devices have access to patient data are good ways to secure your data.

Email security

Emails need to be HIPAA compliant too. 46% of the surveyed organizations send emails containing patient data and 32% send patient data that is either unencrypted or through normal, unsecured email.

Unsecured emails can be easily hacked. Best practice is to encrypt any patient information in emails, and use a secure email server. Better yet, avoid sending sensitive information through email at all.

SEE ALSO: How to Send a HIPAA Compliant Email

HIPAA Training

HIPAA GuideAs far as training goes, organizations are doing a bit better, with 71% training on HIPAA Privacy
Rule, 67% training on Security Rule, and 67% training on HIPAA Breach Notification rule. Unfortunately, over 53% of organizations don’t test employees on HIPAA training.

It’s a known fact that an organization’s weakest security link is its employees, which makes proper HIPAA training critical. While organizations do seem to be doing better, there’s still a lot of improvements to be made. Employees should be trained and tested regularly so they understand your organization’s policies on HIPAA.

Talk to us about training your employees! 

What does this mean for healthcare? 

Based on our data, a lot of the healthcare professionals don’t know what makes up their security. What’s scary is these are all healthcare professionals responsible for HIPAA compliance.

Similar to 2015, many healthcare professionals in 2016 struggle more with the Security Rule in HIPAA. As a result, most healthcare organizations that have had PHI stolen or leaked weren’t fully compliant with the Security Rule.

That being said, the organizations we surveyed seem to be doing better in certain aspects of HIPAA compliance, with only 7% of respondents saying employees share ID credentials and only 15% of organizations allowing employees to use personal mobile devices to access patient data.
Overall, the state of HIPAA hasn’t changed much from last year, but there are a few improvements.
The biggest change healthcare organizations should make is employee awareness of the Security Rule. Many healthcare professionals in charge of HIPAA just don’t know enough about data security.


Here are a few things to keep in mind with getting compliant with HIPAA:
  • Train employees at least quarterly: you and your employees need to understand HIPAA compliance better and understand how to secure your patient data 
  • Get expert help: it’s a good idea to consult HIPAA Compliance and Security Assessors and other security experts to help your organization where you’re struggling
  • Do security testing: hire penetration testers and ethical social engineers to test your systems and your employees 
Need help with HIPAA? Check out our 2017 Guide to HIPAA Compliance.

Brand Barney (CISSP, HCISPP, QSA) is a Security Analyst at SecurityMetrics, has over 10 years of data security experience, and will totally geek out if you mention Doctor Who. Brand loves to play jazz piano and daydreams about being as great as Dave Brubeck or Thelonious Monk. Connect with him on Twitter or check out his other blog posts.

2017 SecurityMetrics Guide to HIPAA Compliance