Mar 25
2015
Survey Reveals Shortfalls in Healthcare Security and Compliance Policy and Major Mobile Vulnerabilities
DataMotion, an email encryption and health information service provider (HISP), offers the results of its third annual survey on corporate email and file transfer habits, revealing significant security risks. While companies in all industries increasingly have put security and compliance policies in place – nearly 90 percent of all respondents affirming that in 2014 (compared to 81 percent in 2013) – the growth is largely from healthcare entities.
More than 97 percent from the industry report their organizations as having policies in place, compared to 90.4 percent in 2013. However, challenges remain for healthcare when it comes to implementing these, ranging from low employee comprehension to policy violations. Additionally, a lack of encryption, risks in mobile device usage and low awareness of Direct Secure Messaging (Direct) pose serious issues for the highly regulated industry.
DataMotion polled more than 780 IT and business decision-makers across the U.S. and Canada. In particular, the survey focused on individuals who routinely work with sensitive data and compliance regulations in a variety of industries including healthcare, financial services, education and government.
More than 300 respondents were from healthcare. Key insights/comparisons on the industry include:
Healthcare Security and Compliance Policy: Gains Undermined by Implementation Failure
- 36 percent of healthcare respondents said within their entity, security and compliance policies are at most only moderately enforced.
- 81 percent of all respondents said employees/co-workers either occasionally or routinely violate these policies. While healthcare fared better, nearly 73 percent admitted the same.
- Key to making policies work is ensuring employee comprehension. When asked if they thought employees fully understood these types of policies, more than a third in healthcare said no, just a slight improvement over those from other industries.
- When asked about common reasons why policies are violated, 52.7 percent from healthcare said it was because employees were not aware of the policy or that they were in violation. Another 29.1 percent said employees didn’t understand policies. Most troubling,18.2 percent said policies were intentionally violated by employees to get their job done.
- These healthcare findings raise a “red flag” whereas key to passing an HHS/OCR HIPAA audit is demonstrating implementation of policies.
Lack of Email Encryption, Mobile Dangers and the Direct Problem
- Nearly a third of respondents across other industries reported they don’t have the capability to encrypt email. Healthcare posted only a slightly lower response; nearly a quarter of respondents saying the same.
- 80.8 percent of healthcare respondents affirmed they’re permitted to use mobile devices for email. Yet, of those that permit email on a mobile device and have encryption at their organization, 31.3 percent cannot send and receive encrypted email from their mobile client.
- Direct – the secure, email-like protocol developed for healthcare – garnered news coverage throughout 2014. Nearly 42 percent of healthcare respondents said they’re unaware of Direct. And of those who are aware of Direct, 42 percent say their organization is not using the alternative to email encryption.
- The widespread use of mobile devices in healthcare, coupled with a lack of encryption, creates a “perfect storm” for exposing sensitive data.
Business Associates and the Long Tail of HIPAA/HITECH
- Almost 70 percent of respondents whose organizations have a business relationship with a healthcare entity process their protected health information (PHI). Yet, 28 percent said they were either not a Business Associate (BA) or were unsure if they were.
- Of those processing a healthcare entity’s PHI, 40.5 percent had either not been asked to sign a Business Associate Agreement or were unsure if they had.
- HIPAA regulations redefined BAs to include downstream entities. Many not previously impacted by HIPAA/HITECH now fall under its long tail. The above numbers show a lack of awareness, placing BAs and the healthcare entities they represent at risk for non-compliance.
“Though the survey shows year-over-year growth in the number of companies putting security and compliance measures in place, the widespread security risks occurring are of great concern,” said Bob Janacek, chief technology officer at DataMotion. “Particularly at a time when organizations have experienced serious data breaches, it’s essential for companies to have strong policies and ensure employees fully understand and follow these. While healthcare has made gains in policy development, it’s all for naught if implementation fails, especially in such a highly regulated industry.”
“These measures should be across the board, as the data shows a gaping hole in security when it comes to mobile devices – with many companies permitting their use but not taking into account their lack of email encryption capabilities,” added Janacek. “Hopefully, this data will provide organizations with a better understanding of what steps need to be taken to ensure security and compliance.”
To view the healthcare survey report, click here or visit: http://www.datamotion.com/get-datamotion-2014-survey-report-healthcare-secure-email-file-transfer-practices/.
For survey results across all industries, click here or visit: http://www.datamotion.com/get-datamotion-2014-survey-report-secure-email-file-transfer-corporate-practices/.