Survey Reveals Cybersecurity and Social Media as Top Compliance Concerns
Cybersecurity is a top compliance concern according to a survey of compliance professionals conducted by Health Care Compliance Association (HCCA) and the Society of Corporate Compliance and Ethics (SCCE). In January 2016, HCCA and SCCE surveyed 900 individuals, suggesting 38 potential compliance issues and asking them to pick no more than 10 in answer to […]
Cybersecurity is a top compliance concern according to a survey of compliance professionals conducted by Health Care Compliance Association (HCCA) and the Society of Corporate Compliance and Ethics (SCCE). In January 2016, HCCA and SCCE surveyed 900 individuals, suggesting 38 potential compliance issues and asking them to pick no more than 10 in answer to the question: “What are the hot topics in compliance you will be focusing on in 2016?” Those surveyed included compliance professionals from many different sectors, including health care.
The results revealed that cybersecurity and cybercrime were the top concern from survey respondents overall. For health care respondents cybersecurity and cybercrime ranked second, behind another internet- related issue—social media compliance risks. The SCCE and HCCA report on the survey reveals the top five responses identified
by respondents overall and grouped by employer type. For health care companies, other issues making the top five were: “More effective internal investigations,” False claims enforcement, and “Creating/Maintaining an ethical culture.” For small entities, nonprofits and privately held businesses, cybersecurity and social media compliance risks were most frequently cited issues. Respondents at larger and publicly traded companies, however, placed cybersecurity risks behind third party risks and leveraging compliance to increase efficiency and effectiveness.
The survey results correspond to many other reports highlighting cyber risks in health care. In 2014, the Federal Bureau of Investigation warned that the health care industry wasn’t prepared for cyber risks. Cybersecurity was also named by health care attorneys interviewed by G2 Compliance Advisor about the top 10 compliance issues facing laboratories and pathology groups in 2016.
|HHS Task Force Members Named as $3.9 HIPAA Settlement Highlights Need for Better IT Security|
A $3.9 million settlement arising from a potential HIPAA breach and an announcement regarding a U.S. Department of Health and Human Services Task Force emphasize the risks to the privacy and security of patients’ health information.
Feinstein Institute for Medical Research, a biomedical research institute based in New York, agreed to the settlement which includes a corrective action plan after a laptop was stolen from an employee’s car, according to an HHS Office for Civil Rights (OCR) March 17 press release. “This case demonstrates OCR’s commitment to promoting the privacy and security protections so critical to build and maintain trust in health research,” HHS said. The settlement is the result of an investigation following the organization’s filing of a breach report concerning the 2012 theft of the laptop, which reportedly held about 13,000 patients’ and research participants’ health information. OCR asserted the organization failed to have adequate policies and procedures and safeguards with regard to laptops.
Just a day earlier, HHS had also announced membership of the Health Care Industry Cybersecurity Task Force which includes government and private sector leaders. The Task Force will seek “the best ways organizations of all types are keeping data and connected medical devices safe and secure” and report to Congress within the next year before the Task Force’s term ends in March 2017. The Task Force arises out of the Cybersecurity Information Sharing Act of 2015 and will also develop materials to help organizations ensure security of health information.
A May 2015 Ponemon Institute study that revealed health care-related criminal attacks on data increased 125 per cent since 2010 and were “the leading cause of data breach” in health care, yet most organizations still weren’t prepared to respond to this threat to patient information. (See G2 Compliance Advisor, May 2015, p. 3) The authors of the Ponemon report also estimated that such breaches cost the health care industry $6 billion annually, with average costs per breach for individual health care organizations hitting about $2.1 million.
In February 2016, the Ponemon Institute released results of a new study, The State of Cybersecurity in Healthcare Organizations in 2016, which indicates 48 per cent of health care organizations surveyed have had a cyber incident in the past year that involved exposure or loss of patient information. The Ponemon Institute—a research firm focused on privacy and information management— worked with ESET, a security software developer, on the study which surveyed 535 IT and IT security professionals in small to medium sized health care organizations. “Based on our field research, healthcare organizations are struggling to deal with a variety of threats, but they are pessimistic about their ability to mitigate risks, vulnerabilities and attacks,” reported Larry Ponemon, chairman and founder of the Ponemon Institute, in a statement announcing the organization’s latest study.
In that study, 81 per cent of organizations surveyed identified patient medical records as the biggest target for hackers and others seeking unauthorized access. The top threats reported by surveyed entities were system failures, cyber attacks and unsecure medical devices. More than half of those surveyed reported that new technologies relevant to mobile health and big data and cloud storage increased risk to patient information. Other risks of concern included employee negligence and business associate relationships.
Takeaway: Cybersecurity continues to be a significant concern for both IT and health care compliance professionals.
This content is exclusive to Lab Compliance Advisor subscribers
Start a Free Trial for immediate access to this article and our entire archive of over 20 years of LCA reports.