Brand Barney consults organizations on HIPAA compliance all over the world. He says there is a universal truth regarding healthcare organizations when trying to keep patient data secure.
"Your staff members are your biggest weakness," says Barney, a security analyst at Orem, Utah-based SecurityMetrics, which provides HIPAA compliance solutions to practices and other healthcare organizations. While HIPAA is an American law, Barney explains that his company does data security training for international companies in contact with protected health information (PHI) from patients in the U.S. He says organizations of all sizes across the world suffer from this problem.
A recent survey from the Ponemon Institute backs up Barney's assertion. Nearly 70 percent of healthcare organizations polled by the research firm say that employee negligence is their biggest concern in securing sensitive patient data. Another research effort from Identity Theft Resource Center (ITRC) and CyberScout similarly found that one of the top causes of healthcare data breaches was employee error.
"I don't think staff members are trying to be malicious…what I see most often is they're trying to do their job. They're trying to increase revenue, increase patient satisfaction, and by proxy, they start to screw it up. And then we start to see vulnerabilities and threats acted upon. It becomes a sizable problem," Barney says.
Essentially, he says, physicians are focused on the patient experience and hand data security functions off to staff members, who are overburdened in their own right and thus, place data security on the backburner. This is especially true in small practices, Barney adds. Kyle Haubrich, counsel with St. Louis-based Sandberg Phoenix & von Gontard P.C., a healthcare law firm, agrees with that sentiment.
"Physicians went to school to be physicians, not to make sure they are complying with every single government regulation on healthcare. So they hand it off to the office manager to handle HIPAA compliance…and so the office manager is already overwhelmed trying to manage the office and then having to do HIPAA work," Haubrich says.
Often, Barney says, healthcare organizations will try to solve the problem by buying software that promises to solve all its data security problems. However, Barney says these technologies ignore the human aspect of HIPAA compliance and the fact there are no simple methods or silver bullets that can create a culture that is entirely data secure.
Bad Training Days
Perhaps the most pertinent factor that has led to employees being the top cause of data breaches, is inadequate HIPAA compliance training, experts say. Rachel Rose, a Houston-based attorney that focuses on various healthcare regulatory compliance issues, says HIPAA training often comes in the form of ineffective and incomplete PowerPoint slides or a boring third-party presentation. Servio Medina, chief operations officer for the cybersecurity policy branch at the Defense Health Agency, the health system that oversees 400 military hospitals and clinics, agrees and says often poor training comes down to a lack of passion.
"If we're not passionate and we're relying on a policy and a poster on the wall….we're going to fail because people aren't hearing [what you're trying to train them on] or it just doesn't resonate and they're not recalling it when they need it," says Medina.