HIMSS: More IT dollars are going to security efforts

Hospitals and medical practices alike are spending more to safeguard patient information, according to the 2010 HIMSS Security Survey, but still spend less than the average in other industries.

The third annual survey, supported for the first time by the Medical Group Management Association, included responses from 272 healthcare IT and security professionals, one quarter of whom indicated that they worked for a medical practice. For the first time, the 2010 survey included questions about how patient identity issues are handled.

About half of respondents indicated their organization spends 3 percent or less of the IT budget on information security, a similar response to the 2009 results, and lower than the information security budget share for many other industries. However, respondents also indicated that their security budgets increased in the last year, due at least in part to federal incentives.

In the survey, 75 percent of all respondents reported that they perform a risk assessment at their organization—similar to the findings of the 2009 survey.

Other highlights include:

• Formal security title: Those working for a hospital were more likely to report they had a chief security officer or chief information security officer in place, compared to individuals working in a medical practice. In fact, 17 percent of respondents working for medical practices indicated that they handled the security function exclusively by using external resources. No respondents from hospitals reported using external resources exclusively.
• Access control: More than 50 percent of respondents from hospital organizations reported using two or more types of controls to manage data access, compared to 40 percent of respondents from medical practices. User-based and role-based controls were the most widely used controls to secure electronic patient information in organizations, according to the survey.
• Management of security environment: Almost all respondents reported their organization actively works to determine the cause of security breaches, with two-thirds having a plan in place to respond to these threats. However, respondents from hospital organizations were more likely to report they worked to determine the cause of security breaches than were respondents in medical practices.
• Security in a networked environment: About 85 percent of respondents said their organization shares patient data in an electronic format. However, 83 percent of hospital respondents are likely to share data in the future, compared to 77 percent of their medical practice counterparts.
• Future security technologies: Mobile device encryption, email encryption and single sign-on were most frequently identified by all respondents as technologies not currently installed at their organizations but planned for future installation. Respondents from hospitals not using these technologies, compared to medical practices, were more likely to install them in the future.
• Medical identity theft: 33 percent of respondents reported that their organization had at least one known case of medical identity theft.
• Maturity of environment: Respondents placed their environment at middle rate of security with an average of 4.43 on a scale of one to seven, where one is not at all mature and seven is a high level of maturity.
• Patient identity: Half of respondents indicated they validate patient identity by requiring both a government/facility-issued ID and checking the ID against information in the master patient index.

The complete 2010 HIMSS Security Survey, sponsored by Intel, can be found here.