Health care companies believe they have a tougher time meeting state and federal data security compliance regulations than their counterparts in financial services, utilities and manufacturing, according to an all-industry survey conducted by Lockpath Inc., a risk management firm.
More data security compliance resources for health care CIOs
HITECH Act and HIPAA: Guidelines for data security compliance
Monitoring, analytics next wave of patient data security compliance initiatives
From the Health IT Exchange: Data security for HIPAA compliance advice from expert Alex Zaltsman
And why not? They are overwhelmed by state and federal mandates that cover patients specifically, such as HIPAA, and consumers in general, such as the Payment Card industry Data Security Standard, or PCI DSS, said Ben Tomhave, principal consultant at Lockpath, Inc.
"It varies from industry to industry, but health care is definitely near the top in terms of the number of regulations they have to comply with," Tomhave said. "The big three are health care, financial services and the energy sector. Health care has a heavier burden than the average company, for sure."
Out of 181 survey respondents across all industries (health care accounted for 10%), all health care companies reported they have a risk management and data security compliance process in place, compared to 91% of utility companies, 77.5% of financial services companies, and 71.4% of manufacturing companies.
Health care respondents are also most likely to amp up compliance efforts in 2012. Such efforts include streamlining vendor audits and risk assessments, automating processes and simplifying reporting, ensuring that employees are trained on emergency procedures, and expanding environmental standards compliance programs. Moreover, they are building whole new data security compliance efforts around the emerging IT landscape in which they manage data from multiple sources -- especially as they move more and more patient data into the cloud.
Considering all that, it's probably not surprising that, while other industries said their top data security compliance challenges include looking for threats, preparing for audits and staying on top of federal regulations, health care respondents said their biggest problem was getting a composite snapshot of what all their risks actually are.
"Health care is used to being regulated in the physical security realm," Tomhave said. "HIPAA changed that, given some of the privacy and security ramifications, but then HITECH [Act] came in and really [gave it] some teeth."
While the laws themselves might seem straightforward, the federal government's lack of consistency in enforcement of those laws makes it difficult for health care providers to manage risk and feel they're in compliance, Tomhave added. "At times, it feels like a moving target."
While health care companies are addressing risks more than companies in other industries, they struggle more in the security risk assessment phase. Nor have they been able to advance in mitigating risks and simplifying the reporting process once they manage to collect the data from all their disparate sources across the enterprise.
To what extent do you have to assess [third parties]? What is their duty and what is your duty? At some point the responsibility has to be handed off and transferred.
Ben Tomhave, principal consultant, Lockpath,Inc
Health care organizations also struggle to pinpoint where their risk ends and risk for partners such as cloud IT services providers and other HIPAA business associates begins, Tomhave said. Sharing risk with partners will be part of health care companies' compliance plan in the near future, but it's still a gray area -- and right now it's difficult to determine what regulators will deem an adequate risk assessment.
"To what extent do you have to assess [third parties]? What is their duty and what is your duty?" Tomhave asked. "HIPAA and HITECH obviously put a lot of the onus on [hospitals] themselves to go out and proactively manage third parties. But at some point the responsibility has to be handed off and transferred."
Editor's note: This story originally indicated that LockPath CEO Chris Caldwell was speaking. It has been modified to reflect the correct source, Ben Tomhave, LockPath principal consultant.