Richard Santalesa over at the InfoLawGroup has a great outline of the recent Ponemon report. He lists several important findings and is a great synopsis if you don’t want to read the whole thing. Here are some of his thoughts:
- The ability to prevent and detect data breaches has made strides, but is far from sufficient.
- What to say here that doesn’t have us all rushing to stick our heads in the oven? First, deep breath. On the downside, only 40% of healthcare organizations are confident today in their ability to prevent and detect patient data loss or theft, which clearly means we’re in worrying “Mayday! Mayday! Mayday!” territory. And with every organization under fiscal and performance pressure the situation is not likely to rapidly improve. That’s the bad news. But the report does note the positive that organizations are moving away from loosy goosey “ad hoc” processes towards regimented policies and procedures and security tech. Good. But we all have work to do in this area and, really, it again comes back to ensuring key personnel embrace security seriously and are then willing to personally backstop efforts to enable osmosis to imbue security awareness throughout their organizations.
- The carrot and the stick works. Sort of.
- Or as the report puts it “compliance encourages improvements in privacy and data security” – in English, this mean HHS OCR audits and fines have thrown fear into organizations with 68% of organizations having in response conducted and documented post data breach incident risk assessments. We all know that no one, well almost no one, enjoys the threat of HIPPA/HITECH penalties hanging over them, but it has enabled security personnel to point to the danger over the horizon and then stick a finger on their data map where it now says “Here be dragons!” to gain new attention for security efforts.
- Barriers to achieving a stronger defense against data breaches continue to be a shortage of technologies, funding and expertise.
- In other words, “dog bites man.” Money is always short. Crucial skills are both fleeting and in short supply. Technology marches on at light speed. That said, a resounding 52% (up from 41% in 2010) of organizations agreed they have “sufficient” policies and procedures in place to prevent or quickly detect unauthorized patient data access, loss or theft. But policies and procedures are one thing. The proof of the pudding comes in when the data hits the road and on that front significant road rash was reported with only 27% of organizations stating they have enough security resources and 34% claiming their security budgets were satisfactory. As any road racer knows “your vehicle/cycle steers to where you’re looking.” No, that’s not a Zen koan.
You can read the full article here: Ponemon Study on Patient Privacy Highlights Security Failings