- The majority of healthcare organizations – 97 percent – have put healthcare security and compliance measures into place, according to DataMotion’s third annual survey on corporate email and file transfer habits. This is an increase from last year, where 90.4 percent of respondents said they had implemented healthcare security and compliance measures.
However, the healthcare industry also faces challenges when it comes to security and compliance. Employees not having an understanding of these measures, as well as policy violations taking place, are some of the reasons cited for healthcare’s struggles.
DataMotion surveyed more than 780 IT and business decision makers in the US and Canada, with approximately 300 respondents coming from the healthcare industry specifically.
The survey also found that nearly 73 percent of surveyed healthcare companies said that employees/co-workers either occasionally or routinely violate security and compliance policies. This is somewhat of an overall trend, as 81 percent of all respondents admitted to the same.
Other key survey findings include:
- 36 percent of healthcare respondents said within their entity, security and compliance policies are at most only moderately enforced
- More than one-third of healthcare companies said that their employees did not understand security and compliance policies
- 52 percent of healthcare entities said violations happen because employees were either not aware of the policy or that they were in violation
- 18.2 percent of healthcare respondents said that violations were intentionally violated in order to get the job done
“Though the survey shows year-over-year growth in the number of companies putting security and compliance measures in place, the widespread security risks occurring are of great concern,” DataMotion Chief Technology Officer Bob Janacek said in a statement. “Particularly at a time when organizations have experienced serious data breaches, it’s essential for companies to have strong policies and ensure employees fully understand and follow these.”
Janacek added that even though healthcare in particular has improved in its policy development, it does not matter if implementation fails. This is especially true in such a highly regulated industry, he said.
A lack of email encryption was a common trait found in all industries, according to the survey. In healthcare specifically, approximately one-quarter of respondents said they don’t have the capability to encrypt email. Moreover, nearly 80 percent of healthcare entities stated they’re allowed to use mobile devices for email access, yet just over 31 percent added that they cannot send and receive encrypted email from their mobile client.
Companies permitting the use of mobile devices but not accounting for email encryption is a gaping security hole, according to Janacek, adding that he hopes the survey gives organizations a better understanding of the necessary steps to ensure security and compliance.
There were also gaps when it came to business associates and certain HIPAA requirements. Specifically, of surveyed organizations that said they process a healthcare entity’s protected health information (PHI), 40.5 percent said they had either not been asked to sign a Business Associate Agreement or were unsure if they had.