User Access A Common Concern In Health Care

May 13, 2008 4:15 PM

During the Health Information Management and Systems Society (HIMSS) 2008 conference in February, 64 percent of those who took part in a survey said compliance and user access control were their top security concern.

The research was conducted with HIMSS attendees, including a cross-section of health care providers ranging from community hospitals to multi-hospital systems. The focus group and survey were developed to gain more insight into how health care providers view the importance of security and compliance efforts, especially in context of patient care, privacy priorities and increasing enforcement of HIPAA guidelines.

According to The Tech Herald, among 136 pre-screened HIMSS respondents, 60 percent reported issues with users sharing passwords, 52 percent found that orphaned user accounts were not properly disabled after employment was terminated, and 38 percent of respondents said there had been instances of inappropriate access.

While risk management issues are clearly viewed as a priority, a Courion-commissioned focus group conducted by HIMSS Analytics uncovered an increasing concern that the pressure to deploy comprehensive electronic medical record (EMR) systems is taking budget and resources away from other priorities – specifically security and compliance efforts.

“The HIMSS research supports an interesting dichotomy we’re seeing in the health care market today. With CIOs taking on increasing responsibility for risk management issues along with operations, security is being looked at more strategically by hospitals,” Todd Chambers, chief marketing officer, Courion told The Tech Herald.

“But with limited budgets, it’s a challenge to prioritize. With more hospitals relying on remote and non-employee workforces, combined with the use of mobile and virtualization technology, the IT environment is increasingly difficult to secure, and without the enforcement of proper policies and checks and balances, audits will become increasingly difficult to pass,” Chambers said.

There is no doubt that HIPAA remains a primary driver of IT and security decision-making. In fact, according to the HIMSS attendee survey, 75 percent of respondents were concerned about facing a HIPAA audit and the majority of respondents (60 percent) cited the threat of a HIPAA compliance audit as the strongest driver for their security initiatives.

There was an overriding sentiment, Courion reported, that compliance and security don’t become top priorities unless there is a security breach or the hospital is facing an external audit.

This reactive approach to compliance and security is an increasing concern, particularly as high-profile privacy breaches. In fact, many of those who responded to the survey felt there was a sense of denial at the executive level about their facility actually being vulnerable to a security breach.

The survey found that over the past year, the most common compliance vulnerabilities were users sharing passwords, orphan accounts left active and inappropriate access. Like the survey results point out, while most hospitals conduct regular audits to determine if data has been compromised, audits alone do nothing to prevent a breach from happening in the first place.

Want to use this article? Click here for options!
© 2012 Penton Media Inc.

This month in Access Control

• Targeting The Customer
• Electronic Pedigrees
• One Hero Among Many
• Who? What? When? Where? Why?
• More from September's issue