Healthcare Organizations not Prepared for HITECH Security Challenges | HIMSS
LinkedIn Login

Connect healthcare products, companies and hospitals with your LinkedIn network.

Facebook Login

Interact with your Facebook network around healthcare products, companies and hospitals.

Login With Facebook
MedicExchange Login

Enjoy Premium Access as a MedicExchange Member.

       Enter Your Email Address to Receive a
Copy of MedicExhange Member Demograhpics
Facebook Twitter Linkedin
Facebook: MedicExchange
Twitter: MedicExchange

Healthcare Organizations not Prepared for HITECH Security Challenges

PostDateIconMonday, 09 November 2009 06:50 | PDF Print E-mail
Organizations - HIMSS

The Healthcare Information and Management Systems Society releases its 2nd Annual Security Survey.

With the American Recovery and Reinvestment Act underway, healthcare organizations face new challenges to maintain privacy and security of patient health data. However, data gathered from healthcare IT and security professionals indicate that many organizations may not be ready to meet some of the HITECH components of the ARRA legislation and other security challenges, according to the results of the 2009 HIMSS Security Survey, sponsored by Symantec Corp.

While healthcare organizations recognize that patient data must be protected, the survey results show that:

  • Security budgets remain low
  • Organizations often don’t have a response plan for threats or a security breach
  • A designated Chief Security Officer or Chief Information Security Officer is not in place


Other key survey results include:

Security Budget: Approximately 60 percent of respondents reported that their organization spends three percent or less of their organization’s IT budget on information security. This is consistent to the level of spending identified in the 2008 study.

Maturity of Environment: Respondents characterized their environment at a middle rate of maturity, with an average score of 4.27 on a scale of one to seven, where one is not at all mature and seven is a high level of maturity.

Formal Security Position: Fewer than half of respondents indicated that their organization has either a formally designated CISO (Chief Information Security Officer) or CSO (Chief Security Officer).

Patient Data Access: Surveyed organizations most widely implement user-based and role-based controls to secure electronic patient information. Approximately half of respondents reported that their organization allows patients/surrogates to access electronic patient information. Patients/surrogates are most likely to be granted access to high level clinical information, such as diagnosis or lab results.

Management of Security Environment: Nearly all respondents reported that their organization actively works to determine the cause/origin of security breaches. However, only half have a plan in place for responding to threats or incidents related to a security breach.

Security Controls: Most respondents reported that they use the information generated in their risk analysis to determine which security controls should be used at their organization. About 85 percent of respondents reported that they monitor the success of these controls and two-thirds of these respondents measure the success of these controls.

Risk Analysis: Three-quarters of surveyed organizations conduct a formal risk analysis (only half of these conduct this assessment on a yearly basis or more frequently), which has remained the same in the past year. Three-quarters of organizations that did conduct risk assessments found patient data at risk due to inadequate security controls, policies and processes. Conducting this analysis positions organizations to identify gaps in their security controls and/or policies and procedures.

Security in a Networked Environment: Nearly all respondents reported that their organizations share patient data in electronic format. Respondents are most likely to report that they share data with state government entities. Respondents also reported that the area in which they are most likely to share data in the future is with Health Information Exchanges (HIEs)/Regional Health Information Organizations (RHIOs). Approximately half of these organizations (41 percent) indicated that these sharing arrangements have resulted in the use of additional security controls beyond those that were already in place at their organization. This is consistent with the data reported in the 2008 survey.

Future Use of Security Technologies: E-mail encryption and single sign on and were most frequently identified by respondents as technologies that were not presently installed at their organization but were planned for future installation.

Medical Identity Theft: One-third of respondents reported that their organization has had at least one known case of medical identity theft at their organization. However, only a handful of these organizations experienced direct consequences from the breach.

Source: HIMSS

You can discuss more about Healthcare IT and related topics in our Healthcare Informatics Group.

Tags: HIMSS - Healthcare Information and Management Systems Society - American Recovery and Reinvestment Act - healthcare organizations - healthcare IT - ARRA - electronic patient information - Health Information Exchange - HIE - Regional Health Information Organization - RHIO - Healthcare Informatics
Related Articles/Posts
 


Feeds
Copyright 2012 MedicExchange.
All Rights Reserved