The Security Scrutinizer with Howard Anderson

Winning Support for Risk Assessments

Funding for Security Steps Lacking, Surveys Confirm
Winning Support for Risk Assessments

But a new survey shows, unfortunately, that for some hospitals and clinics, risk assessments are far from routine.

The 2010 HIMSS Security Survey found that 14 percent of hospitals and 33 percent of clinics have yet to conduct a risk analysis.

Benefits of Risk Analysis

Some hospitals and clinics fail to understand the benefits of an analysis, which can help organizations pinpoint areas where patient information is at risk and help identify ways to remediate that risk, says Lisa Gallagher, senior director for privacy and security at the Healthcare Information and Management Systems Society.
Many organizations just like yours have experienced major breaches and dealt with the messy aftermath. 

Clearly, risk assessments accomplish more than achieving compliance with federal regulations. They help organizations minimize their risk of breaches, which can lead to extraordinarily high costs. The Ponemon Institute estimates the average breach costs $204 per record for direct and indirect expenses.

Rob Tennant, senior policy adviser at Medical Group Management Association, says many clinics adopting EHRs "have expected their software vendors to solve their security compliance problems for them. Vendors can help with compliance, but they can't do everything." He called on clinic administrators to "become far more familiar with the security requirements than they are now" and make sure a risk assessment is completed.

Responding to a Breach

Taking steps to prevent breaches is important. But healthcare organizations also need to be well-prepared to respond to a breach if one occurs. Unfortunately, many still have work to do.

Despite all the publicity surrounding the nearly 190 major health information breaches reported to federal authorities so far, the HIMSS survey found that only 69 percent of hospitals and clinics have a plan in place to respond to a breach.

"We hope those who lack one are working on it," Gallagher says. "They also need a process for doing the appropriate notifications to patients about a breach."

For the third year in a row, the HIMSS survey found that roughly half of healthcare organizations spend 3 percent or less of their IT budgets on security.

Meanwhile, a smaller privacy and security survey of 65 hospitals and others by the Ponemon Institute showed inadequate budget and lack of trained staff for security and privacy were the two reasons cited most frequently as the areas of vulnerability leading to breaches. And 58 percent of respondents said they have little or no confidence in their organization's ability to detect all patient data loss or theft.

Gaining Security Funding

So how can you win support for more funding for information security, including regularly scheduled risk assessments?

The powerful financial incentives offered under the HITECH Act may be a strong catalyst for some to take action.

But if decision makers at your organization need another motivation, consider handing them a copy of the list of major breaches reported to federal authorities. Reading the list can be an eye-opening experience. After all, many organizations just like yours have experienced major breaches and dealt with the messy aftermath.

Ask senior executives and board members if they'd like to avoid the bad publicity -- and high expense -- associated with breaches. And then spell out a game plan for assessing your risks and mitigating them.



About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.