While chief information officers, IT directors, and their staff are increasing the priority of their organizations’ information management strategies, many still report a lack of key data policies and safeguards, according to a study conducted by the global consulting company Protiviti.
The findings published in the second annual IT Security and Privacy Survey comprise feedback approximately 200 respondents, the greatest number of which holding the titles of IT VP/Director (21%), IT Manager (16%), or CIO (11%) from nearly a dozen industries, including financial services and healthcare.
In terms of key policies, the survey reveals areas for improvement still surrounding written information security policies (WISPs) and data encryption. While both areas showed increases in terms of the percentage of respondents over the last indicating that these policies are in place, nearly a quarter of those surveyed still lack a WISP (23%) with close one-third finding themselves with an appropriate data encryption policy (32%). These percentages are two to three times higher than policies for record retention/destruction and acceptable use.
“These are high percentages when considering that such gaps open up these organizations not only to security risks, but also to significant legal exposure,” argue the authors of the study. “However, most of these laws allow for leniency if the organization that experienced a data breach has two things in place operationally: a WISP and a data encryption policy.”
While most of the organizations covered in the study of multiple policies in place to prevent “data leakage” — most common among them password (87%), information security (77%), data protection/privacy (74%), workstation/laptop security (73%), and user access policies (72%) — two kinds of policies especially pertinent to health data security and privacy as demonstrated by the stream of health data breaches occurring over the past several months: removable media (49%) and information exchange (35%) policies.
Lost or stolen laptops or portable media have featured in a large number of recent breaches and usually affect a significant amount of protected health information (PHI) or personally identifiable information (PII) at the very least. With the rise of health information exchange about to occur as a result of the EHR Incentive Programs (i.e., “meaningful use”), the formation of accountable care organizations (ACOs), and other initiatives aimed at promoting the exchange of health information among providers and between providers and patients, a lack of an information exchange policy needs to be remedied in the near term to mitigate risks in the near and long term.
If the Protiviti is any indication of opportunities for improvement, one important one is in the area of building awareness at the highest level which can then be shared with the entire organization. According to the survey, a minority of managers does an excellent job at communicating with their organizations about differentiating between public and sensitive data (23%) compared to those who do an acceptable job (50%) or have serious room for improvement (21%).
Considering the changes health data security and privacy to be imposed by the HIPAA omnibus rule in September, knowledge is key to avoiding preventable risks. “Under data privacy laws such as HIPAA/HITECH, a company is responsible for how data is handled in the hands of its business associates and vendors,” explain the authors. “An organization must know where all of its data is going and how it is being managed, particularly if it goes to a third party.”
The complete findings are available here.
Image Credits: Protiviti