Winning Support for Risk AssessmentsFunding for Security Steps Lacking, Surveys Confirm
But a new survey shows, unfortunately, that for some hospitals and clinics, risk assessments are far from routine.
The 2010 HIMSS Security Survey found that 14 percent of hospitals and 33 percent of clinics have yet to conduct a risk analysis.
Benefits of Risk AnalysisSome hospitals and clinics fail to understand the benefits of an analysis, which can help organizations pinpoint areas where patient information is at risk and help identify ways to remediate that risk, says Lisa Gallagher, senior director for privacy and security at the Healthcare Information and Management Systems Society.
Many organizations just like yours have experienced major breaches and dealt with the messy aftermath.
Clearly, risk assessments accomplish more than achieving compliance with federal regulations. They help organizations minimize their risk of breaches, which can lead to extraordinarily high costs. The Ponemon Institute estimates the average breach costs $204 per record for direct and indirect expenses.
Rob Tennant, senior policy adviser at Medical Group Management Association, says many clinics adopting EHRs "have expected their software vendors to solve their security compliance problems for them. Vendors can help with compliance, but they can't do everything." He called on clinic administrators to "become far more familiar with the security requirements than they are now" and make sure a risk assessment is completed.
Responding to a BreachTaking steps to prevent breaches is important. But healthcare organizations also need to be well-prepared to respond to a breach if one occurs. Unfortunately, many still have work to do.
Despite all the publicity surrounding the nearly 190 major health information breaches reported to federal authorities so far, the HIMSS survey found that only 69 percent of hospitals and clinics have a plan in place to respond to a breach.
"We hope those who lack one are working on it," Gallagher says. "They also need a process for doing the appropriate notifications to patients about a breach."
For the third year in a row, the HIMSS survey found that roughly half of healthcare organizations spend 3 percent or less of their IT budgets on security.
Meanwhile, a smaller privacy and security survey of 65 hospitals and others by the Ponemon Institute showed inadequate budget and lack of trained staff for security and privacy were the two reasons cited most frequently as the areas of vulnerability leading to breaches. And 58 percent of respondents said they have little or no confidence in their organization's ability to detect all patient data loss or theft.
Gaining Security FundingSo how can you win support for more funding for information security, including regularly scheduled risk assessments?
The powerful financial incentives offered under the HITECH Act may be a strong catalyst for some to take action.
But if decision makers at your organization need another motivation, consider handing them a copy of the list of major breaches reported to federal authorities. Reading the list can be an eye-opening experience. After all, many organizations just like yours have experienced major breaches and dealt with the messy aftermath.
Ask senior executives and board members if they'd like to avoid the bad publicity -- and high expense -- associated with breaches. And then spell out a game plan for assessing your risks and mitigating them.