Survey reveals top healthcare security issues: Risks taken by employees, mobile vulnerabilities

Healthcare entities have increasingly put security and compliance policies into place but they face a range of challenges including low employee comprehension and policy violations.

Those are the findings of the third annual survey on corporate email and file transfer habits from DataMotion, an email encryption and health information service provider (HISP).

Healthcare also faces a lack of encryption, risks in mobile device usage and low awareness of Direct Secure Messaging (Direct) which all pose serious issues, according to DataMotion.

The survey polled IT and business decision-makers across all industries and more than 300 respondents were from healthcare. Among the findings:

Security & Compliance Policy: Gains Undermined by Implementation Failure

• 36 percent of healthcare respondents said within their entity, security and compliance policies are at most only moderately enforced.
• 81 percent of all respondents said employees/co-workers either occasionally or routinely violate these policies. While healthcare fared better, nearly 73 percent admitted the same.
• Key to making policies work is ensuring employee comprehension. When asked if they thought employees fully understood these types of policies, more than a third in healthcare said no, just a slight improvement over those from other industries.
• When asked about common reasons why policies are violated, 52.7 percent from healthcare said it was because employees were not aware of the policy or that they were in violation. Another 29.1 percent said employees didn’t understand policies. Most troubling,18.2 percent said policies were intentionally violated by employees to get their job done.
• These healthcare findings raise a “red flag” whereas key to passing an HHS/OCR HIPAA audit is demonstrating implementation of policies.

Lack of Email Encryption, Mobile Dangers and the Direct Problem

• Nearly a third of respondents across other industries reported they don’t have the capability to encrypt email. Healthcare posted only a slightly lower response; nearly a quarter of respondents saying the same.
• 81 percent of healthcare respondents affirmed they’re permitted to use mobile devices for email. Yet, of those that permit email on a mobile device and have encryption at their organization, 31 percent cannot send and receive encrypted email from their mobile client.
• Direct--the secure, email-like protocol developed for healthcare--garnered news coverage throughout 2014. Nearly 42 percent of healthcare respondents said they’re unaware of Direct. And of those who are aware of Direct, 42 percent say their organization is not using the alternative to email encryption.
• The widespread use of mobile devices in healthcare, coupled with a lack of encryption, creates a “perfect storm” for exposing sensitive data.

Business Associates and the Long Tail of HIPAA/HITECH

• Almost 70 percent of respondents whose organizations have a business relationship with a healthcare entity process their protected health information (PHI). Yet, 28 percent said they were either not a business associate (BA) or were unsure if they were.
• Of those processing a healthcare entity’s PHI, 40.5 percent had either not been asked to sign a Business Associate Agreement or were unsure if they had. 
• HIPAA regulations redefined BAs to include downstream entities. Many not previously impacted by HIPAA/HITECH now fall under its long tail. The above numbers show a lack of awareness, placing BAs and the healthcare entities they represent at risk for non-compliance.

“Though the survey shows year-over-year growth in the number of companies putting security and compliance measures in place, the widespread security risks occurring are of great concern,” said Bob Janacek, chief technology officer at DataMotion, in a release. “Particularly at a time when organizations have experienced serious data breaches, it’s essential for companies to have strong policies and ensure employees fully understand and follow these. While healthcare has made gains in policy development, it’s all for naught if implementation fails, especially in such a highly regulated industry.”

“These measures should be across the board, as the data shows a gaping hole in security when it comes to mobile devices – with many companies permitting their use but not taking into account their lack of email encryption capabilities,” he added. “Hopefully, this data will provide organizations with a better understanding of what steps need to be taken to ensure security and compliance.”

View the healthcare survey report.