63% Of US Healthcare Organizations Failing To Adequately Identify Individual User Access To Patient Data

Just 37% of healthcare employees are restricted from logging on to multiple devices concurrently, while 30% do not even have a unique login ID

Concurrent logins, manual logoffs, password sharing and the lack of unique logins are putting patient records at risk, new research has revealed. A report by security software provider IS Decisions found that despite HIPAA’s security rules on imposing restricted access to electronic patient health information, 63% healthcare staff are still able to logon to different devices and workstations concurrently, 49% are required to manually logoff, and 30% do not have unique logins.

The report, ‘Healthcare: data access compliance’, highlights the several issues that have a direct effect to security of information within the healthcare industry. Access to personal data can be life-dependent but there has to be a reliable access management procedure and system in place. According to the report, 82% have access to patient data, which is worrying considering 30% do not have unique logins for this access, making proper user identification impossible. A surprising 37% are restricted from concurrent access, a requirement given attribution is difficult when users can be logged in from multiple devices and locations.

Derek Brink, vice president and research fellow at Aberdeen Group, said: “This guide is an excellent example of how to simplify compliance. It describes a set of basic security practices for healthcare organisations that will help safeguard sensitive patient data, and satisfy an array of compliance requirements from the Health Insurance Portability and Accountability Act (HIPAA).”

The report also details security training, for both on-boarding new employees and those who have settled into their jobs. It showed that 29% of healthcare professionals did not receive any security training when they were employed and only 55% of existing employees received IT security training.

The figures around access, logins and password sharing as well as the IT security training shows the need to firstly, implement a good access management system and secondly train staff to raise awareness and build accountability.
David Childers, fellow at Open Compliance & Ethics Group (OCEG), said: "70% of data losses in healthcare are caused by human error. Both Ponemon and Experian in their latest reports regarding data breach and protection challenged healthcare organisations to ‘step up’ their security posture. Not only did these studies cite the increase in breach event activity but noted the likely rise in legal and regulatory scrutiny that will come in 2016.”

Francois Amigorena, CEO of IS Decisions commented, “Unlike an office where employees have designated computers and workstations, doctors and nurses are always on the go, moving from operating theatres to patient rooms and so on. Healthcare organizations need to protect the patient’s right to privacy while ensuring healthcare professionals get the necessary access to provide the best treatment for their patients.

“Information of this critical and confidential nature should only be accessible by authorized users and it really should not be a complicated process. This can be easily achieved with the right combination of implementing access control policies, applying user identity verification and improving user activity auditing.”

About IS Decisions
IS Decisions makes it easy to safeguard and secure your Microsoft Windows and Active Directory infrastructure. With solutions for user access control, file auditing, server and desktop reporting, and remote installations, IS Decisions combines the powerful security today’s business world mandates with the innovative simplicity the modern user expects. Over 3,000 customers around the world rely on IS Decisions to prevent security breaches; ensure compliance with major regulations, such as SOX, FISMA and HIPAA; quickly respond to IT emergencies; and gain time and cost-savings for IT.

IS Decisions is a Microsoft Silver Partner based in Biarritz, France. Customers include American Express, BAE Systems, BMW, Computer Sciences Corporation, FBI, Frito-Lay, GlaxoSmithKline, IBM, Lockheed Martin, Mitsubishi, Oxford University, South Wales Police, TimeWarner, United Nations Organization, US Department of Justice, US Department of Veterans Affairs and US Navy Marine Corps.