1 In late 2014, DataMotion conducted its annual survey of more than 700 IT and business professionals across the United States to gain insight into corporate and file transfer policies. This report takes a closer look at those respondents identifying themselves as healthcare entities, and how they compare to other industries. 323 respondents fell into the healthcare category. With the exception of functional responsibility, demographically their makeup was very similar to other industries. Respondents held positions at all levels within their organizations, including staff, managers, directors and executives. Respondents are distributed fairly evenly across different sized organizations, with 33.4% from organizations with less than 100 employees, and 37.5% from larger organizations (1,000 employees and more). There is also a range in the size of respondents IT organizations, with 57.3% having 20 or fewer employees in the IT department and 42.7% with IT departments of more than 20. When it came to functional responsibility, there was more representation from departments other than IT, especially from administrative and clinical healthcare positions. 38.7% of healthcare respondents had IT responsibilities versus 62.5% for other industries. Policies Exist Yet Enforcement Still Lacking Regardless of industry the vast majority of organizations surveyed have security and compliance policies in place for transferring sensitive information like files, s and form data. Nearly 90% of all respondents said their company has these kinds of policies in place, an increase of almost 10 percent over the 2013 results (80.9%). However, the increase is largely accounted for by healthcare entities with more than 97% having policies in place, compared to 90.4% in Only 82.3% of non-healthcare organizations reported having these kinds of policies. Given HIPAA s requirements, and the ONC s push towards more audits, it is not suprising to see more policies enacted in healthcare organizations. When it comes to enforcement, however, many organizations are struggling. 36% of healthcare respondents said that within their entity, security and compliance policies are at most only moderately enforced. This is better than other industries, which reported in at 50% saying policies are either rarely or moderately enforced, though all are still challenged with enforcement. Also, regardless of industry, the vast majority reported policies being violated. Nearly 73% of healthcare respondents said employees/co-workers either occasionally or routinely violate these policies compared to 81% for other industries. A key step to making policies work in any organization, healthcare or otherwise, is making sure employees are aware of, and understand the policies in place. When respondents were asked if they thought employees fully understood these types of policies, over a third of healthcare respondents said no. Other industries reported similarly with 38.1% saying their company s compliance and security policies are not understood. When asked about the most common reasons policies are violated, over half (52.7%) of healthcare respondents said this was because the employee was not even aware of the policy or that it had been violated. Another 29.1% said the awareness was there but employees did not understand the policies.
2 And most concerning, 18.2% said policies were intentionally violated in order to get their job done. Other industries had somewhat fewer responses saying awareness alone is the reason (46.5%), and slightly more responses saying policies are violated to get work done (24%) but both followed the same pattern. This points to a need for organizations in all industries to increase awareness of policy existence, and to do a better job of training employees about these policies what they are, why they are needed and the impacts of them not being followed. For healthcare organizations, a key part of passing an HHS/OCR HIPAA audit is demonstrating implementation of policies, including training and sanctions. Progress on Policy Adherence The good news is that many organizations, healthcare and otherwise, are taking steps to improve policy adherence things like ongoing or mandatory training, more frequent communications, and the use of technology to monitor and report on policy compliance. Only 7.4% of healthcare respondents said they were not doing anything additional to get improvements in policy compliance. More than half (64.2%) are conducting ongoing training, and 44.6% are using technology to increase policy adherence. Survey responses show that most healthcare respondents indicated a variety of acceptable methods and tools for sending files containing sensitive data. Unencrypted , encrypted , free file transfer services and FTP were all accepted methods for transferring files with sensitive information digitally, with encrypted far outweighing the others at 80%. Healthcare s usage of unencrypted for this purpose was less than other industries, at 10% and 18% respectively. Encryption Use Remains Steady Even with impending HIPAA audits by the OCR in 2015, and more high profile breaches in 2014, a significant percent of healthcare organizations are reporting they do not use encryption. Nearly a quarter, 24.4%, reported that they do not have the ability to encrypt . This compares to 32.5% for other industries. Similar to other industries, fewer small healthcare organizations reported using encryption (66.7% for <100 employees) than large (87.3% for employees). For those healthcare organizations that are using encryption, a majority are implementing it in ways that help improve ease of use crucial for getting user adoption. 55.9% of healthcare respondents do not require a user to log into a portal to send or receive encrypted , and nearly 90% have the capability to send and receive encrypted directly from their desktop client. Again, healthcare respondents did not materially differ from other industries in their responses.
3 Mobile Use Continues to Put Organizations at Risk Mobile devices have invaded the healthcare workplace. And they are often cited as a source of concern when it comes to security risk. This study, along with others, supports that concern. 80.8% of respondent s organizations reported having policies permitting the use of on a mobile device. And the devices are being used. A recent study by Spyglass Consulting Group 1 showed 96% of physicians using smartphones as a primary device to support clinical communications. Another study 2 shows 69% viewing patient information on a mobile device. Yet many respondents said they do not have encryption enabled in their mobile client. Of those with policies permitting use on a mobile, nearly a quarter (22.9%) do not use encryption of any kind on mobile or on a desktop. Healthcare respondents were similar to other industries, in that those providing encryption often don t have it enabled for employees in their mobile client. Of the 175+ healthcare respondents providing encryption and allowing mobile use, nearly a third (31.3%) do not have the ability to secure their from their mobile client. Again, like other industries, this risk especially applies to smaller organizations. When examined by size, 56.7% of small healthcare organizations (<100 employees) had not enabled encryption in employees mobile clients, versus 27.8% for large organizations (1,000+ employees). In all industries, is one of, if not the most, frequently used application on a mobile device. According to a recent Radicati study, by 2018, 80% of users are expected to access their accounts via a mobile device. 3 Healthcare is no exception to this. In a September 2014 study of physicians by Kantar Media 4, 64% of physicians were found to be using on a smartphone. The widespread use of mobile devices for , coupled with a widespread lack of encryption on these devices sets up a huge area of risk for these organizations. Confidence Is Stronger for Healthcare In 2013, we noted that HIPAA and associated regulations are having a visible impact on healthcare in regards to policies. That trend continues. While most healthcare respondents organizations do have policies in place, over a quarter of them are not confident their company s encryption policy provides adequate security against an related data breach. Yet healthcare respondents indicated more confidence in their security policies than other industries. 34.3% of other industries indicated their lack of confidence in the encryption policy. And, when asked if their organization would pass if selected for a compliance audit in 1 Point of Care Communications for Physicians 2014, Spyglass Consulting Group 2 Caradigm Infographic, 3 The Radicati Group Statistics Report, Kantar Media Sources & Interactions Study, September 2014 Medical Surgical Addition
4 the next 12 months, over 60% of other industries were at best only somewhat confident in their ability to pass. Only 52.6% of healthcare respondents said the same. Healthcare respondents were also more inclined to say they strive to achieve total compliance at 83.3% versus 71.2% for other industries. Only 15.6% of healthcare respondents said they take risks because they don t have the resources to be compliant, compared to 28.3% for other industries. This is not suprising given HIPAA/HITECH regulatory requirements for protecting senstive data. Direct Secure Messaging and Meaningful Use Like other industries, healthcare entities still have some work to do when it comes to securing data in transit but they face much higher demands for secure messaging. Unlike other industries, almost every message exchange and file transfer contains private health information in addition to personal identifiable information. Both must be secured under HIPAA and HITECH regulations. This means that virtually every workflow requiring message and file exchange must be secure (for example, electronic health record content). The survey response indicates progress is being made. For example, Direct Secure Messaging (Direct) is starting to take hold. Direct is a secure and interoperable -like protocol initiated by the U.S. Department of Health and Human Services specifically for healthcare providers. Its purpose as a part of the broader HITECH act is to reduce costs and improve care. Initially used for attesting to Meaningful Use Stage 2 (MU2) requirements, the HHS vision for Direct is to become the secure and interoperable messaging protocol for a national Health Information Network accessible by all healthcare providers. Unfortunately, 42% of healthcare respondents said they are not aware of the Direct protocol. Since usage of Direct is tied to meeting MU2 requirements for transmitting transitions of care documents, awareness is likely contained to those actively pursing MU2 attestation. This suggests a need to continue the awareness building programs for Direct to further its adoption and use beyond a MU2 checkbox. Progress has been made, but there is more work here to do. Of those aware of Direct, 57.7% were using it in their organization, again indicating progress driven by the MU program, and continued room for growth. Initial use of Direct is focused on improving continuity of care as patients transition between care settings for example from a hospital to long term care facility, skilled nursing or other post-acute care environment. Specifically, Direct is being used to send transition of care documents to affiliates (60.2%), to receive transition of care documents from acute care facilities (40.8%) and to send and receive secure messages and files to/from patients (28.2%).
5 Many Electronic Health Records systems (EHR) vendors have added HHS certified Direct service to their product portfolios specifically to enable their healthcare provider customers the ability to attest for MU, and earn related incentives. In addition, health information service providers (HISPs) have emerged as a source of Direct provisioning. HISPs are a new category of secure messaging service provider focused specifically on the delivery of accredited Direct service and addresses for the general healthcare industry. EHR vendors and HISPs were the most common providers of Direct addresses and service, at 53.7% and 20.4% respectively. Health Information Exchanges (HIEs) are another source providers are using to get Direct service. Business Associates an Area of Risk With the HIPAA omnibus final ruling having taken effect in September of 2013, many organizations not previously impacted by HIPAA/HITECH now fall under its long tail. In simple terms, the ruling says that any partner of a healthcare entity, and any partner of that partner, who handles the healthcare entity s protected health data (PHI) are considered a business associate of that entity and are responsible for protecting that data. 69.4% of respondents whose organizations have a business relationship with a healthcare entity, also handle that entity s protected health data. Yet 28.2% of these said they were either not a business associate, or were unsure if they were. Similarly, of those handling a healthcare entity s PHI, 40.5% had either not been asked to sign a business associate agreement, or were unsure if they had. Both of these numbers point to a lack of awareness of who is a business associate for a significant portion of organizations that actually are, putting both themselves and the healthcare entities they work with at risk for noncompliance. Conclusions Although a high percentage of all industries have policies for securing files and in transit, healthcare organizations continue to be ahead of other industries when it comes to having these policies, with close to 100% reporting having them. Yet for both healthcare and other industries, increasing employee awareness and understanding of the need to secure data in transit, and getting employees to comply, continues to be a struggle for many. Effective and file transfer security policy compliance demands ongoing communications and training. Vendors of these systems are also starting to step up and deliver tools that are not only easier to use, but assist in the ongoing training and awareness needed for these policies to succeed.
6 For both healthcare and other industries, mobile, in particular, continues to put organizations at risk when it comes to securing . While most organizations have accepted the fact that mobile devices are going to be used and are embracing them with policies regarding their use and healthcare is no exception - there is still a lack of encryption for on too many of these devices, creating a huge security risk. Organizations need to make sure these users are provided the tools they need to secure files and s being sent on a mobile device, such as encryption that works within their mobile client. While the HHS has stepped in to initiate a healthcare specific protocol for secure messaging (Direct), general awareness and adoption remains tied to the corresponding incentives from Meaningful Use programs. Meeting the HHS vision for an interoperable nationwide Health Information Network that leverages Direct has great potential to reduce costs and improve care, but will require greater education and continued adoption to reach critical mass amongst healthcare providers. Finally, for those in a healthcare ecosystem who handle a healthcare entity s protected health data even if they are a small partner and not healthcare themselves they now fall under the requirements of HIPAA/HITECH regulations and need to execute business associate agreements that define security measures for handling the data, and more importantly comply by their terms. Securing health information in transit is no longer a requirement just for primary entities covered by regulation, or large organizations. It impacts us all.
7 Appendix Survey questions and answer detail for health respondents compared to other industries 1. What is your primary job level? 2. What is your primary job function? 3. How many employees are in your organization?
8 4. What is the approximate size of your organization s IT (information technology) department (those reporting to the CIO)? 5. Are any of your organization s IT department resources outsourced? 6. Which of the following best describes your organization s primary business or industry?
9 7. Are you aware of Direct Secure Messaging protocol as an alternative to encryption? (for those that answered healthcare in question six) 8. Is your organization using Direct Secure Messaging? (for those that answered yes in question seven) 9. From where did you get your Direct address (for those that answered yes in question eight)
10 10. How is your organization using Direct Secure Messaging? (for those that answered yes in question eight) (multiple answers accepted) 11. Does your company have security and compliance policies for transferring sensitive information electronically? (such as files, s, form data) 12. How aggressively are these policies enforced? (for those that answered yes to question 11)
11 13. Do you think employees fully understand these policies? (for those that answered yes to question 11) 14. How often do you feel employees/co-workers violate these policies? (for those that answered yes to question 11) 15. In your opinion, what are the most common reasons employees/co-workers violate these policies? (for those that answered yes to question 11)
12 16. What steps is your organization taking to improve policy adherence to frequently violated policies? (multiple answers allowed) (for those that answered yes to question 11) 17. Does your organization have policies regarding the methods for accepting sensitive information from external sources? (for those that answered yes to question 11) 18. What methods are acceptable for receiving sensitive information from external sources? (multiple answers allowed) (for those that answered yes to question 11)
13 19. Has your organization experienced a breach of sensitive information due to accidental exposure? 20. What was/were the consequence(s)? (multiple answers accepted) (for those answering yes to question 19) 21. When an employee/co-worker has a file containing sensitive information to be transferred digitally, what are your organization s accepted methods for sending the file? (multiple answers accepted)
14 22. Does your organization permit the use of mobile devices for ? 23. Do your employees/co-workers have the capability to encrypt ? 24. Are users required to log into a separate portal to send or receive encrypted ? (for those that answered yes to question 23)
15 25. Do your employees/co-workers have the capability to send and receive encrypted directly from their desktop client? (for those that answered yes to question 23) 26. Do your employees/co-workers have the capability to send and receive encrypted directly from their mobile client? (for those that answered yes to question 23) 27. What type of encryption do your employees/co-workers use? (for those that answered yes to question 23)
16 28. Are you confident your company s current encryption policy provides adequate security against an related data breach? (for those answering yes to question 11) 29. How likely do you think it is that your company will be selected for a compliance audit in the next 12 months? 30. If your company was selected for such an audit, how confident are you that it would pass?
17 31. Which best describes your company s approach to compliance? 32. How much does your organization plan to spend in the next 12 months on encryption? 33. Does your organization have any business relationships with healthcare-covered entities such as a hospital or health system?
18 34. As a part of your business relationships with healthcare-covered entities, has your organization physically or electronically handled any of the healthcare entity s protected health information (PHI)? (for those that answered yes to question 33) 35. Is your organization considered a business associate as defined by HIPAA regulations? 36. Has your organization been asked to sign a Business Associate Agreement (BAA) resulting from HIPAA s redefinition of downstream business associates? ABOUT DATAMOTION Our mission is to dramatically reduce the cost and complexity of exchanging private health information in a secure and compliant way! Our easy-to-use encryption solutions for Direct Secure Messaging, secure , file transfer, forms processing and customer contact leverage the DataMotion Platform for unified data delivery. As a provider of secure messaging solutions such as encryption and Direct Secure Messaging we are constantly engaged by providers to help them stay in compliance with expanding regulations, including HIPAA and HITECH. We are an EHNAC accredited Health Information Service Provider (HISP), and actively promote the adoption of Direct Secure Messaging across the healthcare industry. DataMotion is privately held and based in Florham Park, N.J.