Cybersecurity and Social Media Lead Compliance Concerns for Health Care Compliance and IT Professionals

In 2014, the Federal Bureau of Investigation warned that the health care industry wasn't prepared for cyber risks. Last year, National Intelligence Report reported on a May 2015 Ponemon Institute study that revealed health care-related criminal attacks on data increased 125 per cent since 2010 and were "the leading cause of data breach" in health care, yet most organizations still weren't prepared to respond to this threat to patient information. The authors of the Ponemon report also estimated that such breaches cost the health care industry $6 billion annually, with average costs per breach for individual health care organizations hitting about $2.1 million.

Just last month, the Ponemon Institute released results of a study, The State of Cybersecurity in Healthcare Organizations in 2016, which indicates 48 per cent of health care organizations surveyed have had a cyber incident in the past year that involved exposure or loss of patient information. The Ponemon Institute—a research firm focused on privacy and information management—worked with ESET, a security software developer, on the study which surveyed 535 IT and IT security professionals in small to medium sized health care organizations. "Based on our field research, healthcare organizations are struggling to deal with a variety of threats, but they are pessimistic about their ability to mitigate risks, vulnerabilities and attacks," reported Larry Ponemon, chairman and founder of the Ponemon Institute, in a statement announcing the organization's latest study.

Thus, it shouldn't be surprising that cybersecurity is a top compliance concern among compliance professionals, according to a survey conducted by Health Care Compliance Association (HCCA) and the Society of Corporate Compliance and Ethics (SCCE). In January 2016, HCCA and SCCE surveyed 900 individuals, suggesting 38 potential compliance issues and asking them to pick no more than 10 in answer to the question: "What are the hot topics in compliance you will be focusing on in 2016?" Those surveyed included compliance professionals from many different sectors, including health care.

The results revealed that cybersecurity and cybercrime were the top concern from survey respondents overall. For health care respondents cybersecurity and cybercrime ranked second, behind another internet-related issue—social media compliance risks. The SCCE and HCCA report on the survey reveals the top five responses identified by respondents overall and grouped by employer type. For health care companies other issues making the top five were: "More effective internal investigations," False Claims Act enforcement, and "Creating/Maintaining an ethical culture." For small entities, nonprofits and privately held businesses, cybersecurity and social media compliance risks were most frequently cited issues. Respondents at larger and publicly traded companies, however, placed cybersecurity risks behind third party risks and leveraging compliance to increase efficiency and effectiveness.

These results coincide with data reported by the Ponemon Institute last month. In that study, 81 per cent of organizations surveyed identified patient medical records as the biggest target for hackers and others seeking unauthorized access. The top threats reported by surveyed entities were system failures, cyber attacks and unsecure medical devices. More than half of those surveyed reported that new technologies relevant to mobile health and big data and cloud storage increased risk to patient information. Other risks of concern included employee negligence and business associate relationships.

Takeaway: Cybersecurity continues to be a significant concern for both IT and health care compliance professionals.