A report from the Healthcare Information and Management Systems Society (HIMSS) reveals some interesting new findings about the state of data security in the healthcare sector and, as most would agree, healthcare-related data is among the most sensitive of all. Healthcare IT News has a very helpful summary article about the report, and a blog entry as well.

The report was based on a biannual survey of 250 healthcare professionals nationwide and was commissioned by Kroll Fraud Solutions. The overall flavor of the report seems to suggest a bit of an “overconfidence” by healthcare IT professionals regarding the actual security of their data–they perceive it to be much more secure than it is. And, as we see in breach after breach, that often turns out to be true.

Kroll’s summary of key findings states:

• New regulatory activity, including the implementation of the Red Flags Rule and HITECH Act, has created a false sense of security among healthcare organizations that their facilities are secure and prepared should a breach occur.
• Healthcare organizations continue to underestimate the high costs of a data breach, despite new industry data which puts the average cost per industry data breach at $6.75 million.
• Healthcare organizations continue to think of data security in specific silos (IT, employees, etc.) and not as an organization-wide responsibility, which creates unwanted gaps in policies and procedures.

A more extensive list of highlights is found in the Healthcare IT News article:

• Despite new regulatory activity, including the implementation of Red Flags Rule and HITECH Act, and increased compliance among healthcare providers, the reporting of healthcare breaches is on the rise.
• The majority of survey participants indicated that they were compliant with existing laws and regulations.
• Average responses were above a 6.0 (on a scale of 1-7, with 7 being the highest level of compliance) for almost all laws and regulations, including CMS Regulations, HIPAA, State Security Laws and Red Flags Rule. Only HITECH scored lower (5.75), most likely due to the fact that HITECH was still not fully implemented at the time of the survey.
• The number of healthcare organizations that reported a breach increased by six percent in 2010 to 19 percent of total respondents – up from 13 percent in 2008.
• When asked to rate their level of “preparedness” for a future security breach, respondents from organizations having experienced a breach cited a preparedness level of 6.06 (on a scale of 1-7, with 7 being most prepared).
• Healthcare organizations continue to underestimate the high costs of a data breach, despite the fact that penalties for HITECH violations can reach as high as $1.5 million dollars.
• Patient satisfaction was most frequently cited as the primary impact of a data breach on their organization (38 percent), while only 15 percent cited the financial costs —  down from 18 percent in 2008.
• Healthcare organizations continue to think of data security in specific silos (IT, employees, etc.) and not as an organization-wide responsibility, which creates unwanted gaps in policies and procedures.
• Eighty-seven percent of respondents indicated that they have policies in place to monitor access and sharing of electronic health information, yet research shows that 84 percent of healthcare breaches since 2003 were due to “low tech” incidents such as lost or stolen laptops, improper disposal of documents, stolen backup tapes, etc.
• Sixty percent of respondents said they required third party vendors to provide proof of employee training and only half indicated that they required third party vendors to provide proof of employee background checks. As organizations prepare for the broader sharing of electronic health records across massive networks of providers, payers, state and federal repository systems, third party involvement is only expected to increase in the coming years.

There is indeed a lot to crunch and, as noted in the articles, it’s a “bittersweet” set of results. On the positive side, data security is getting much more attention and many healthcare organizations are taking action. But on the negative side, there’s still a very serious gap between “theory and practice,” so to speak. In theory, organizations think they’re secure and are shooting entirely for “compliance.” In practice, not so.

This elicits thoughts of the old cliche: In theory, there’s no difference between theory and practice. In practice, there is.

Download the full report here. Thanks to security curmudgeon on DataLossDB for the heads up.