Healthcare Security Progress LackingMany Hospitals, Clinics Have a Long Way to Go, Survey Confirms
Gallagher, senior director for privacy and security at the Healthcare Information and Management Systems Society, says continued low spending on information security in healthcare is disappointing. For the third year in a row, the HIMSS survey found that roughly half of healthcare organizations spend 3 percent or less of their IT budgets on security.
"We would have liked to have seen this improve year over year, given that we know that this percentage is fairly low when compared to other industries, where the average is 5 percent," Gallagher says.
The new security survey, sponsored by Intel and supported by the Medical Group Management Association, generated 272 replies from IT executives at hospitals and medical practices.
Risk AssessmentsAlso disappointing, Gallagher says, was the new survey's finding that 14 percent of hospitals and 33 percent of clinics have yet to conduct a risk analysis. "It's really indicative of a less than mature process for securing patient data," she says.
HIPAA requires that healthcare organizations conduct such an assessment. And hospitals and clinics that want to qualify for Medicare and Medicaid incentive payments under the HITECH Act electronic health records incentive payment program must conduct a risk analysis and then implement necessary security updates to correct identified security deficiencies.
Some smaller clinics might lack the resources or expertise to conduct a risk analysis, Gallagher acknowledges. Nevertheless, she says that some hospitals and clinics fail to understand the benefits of an analysis, which can help organizations pinpoint areas where patient information is at risk and help identify ways to remediate that risk.
Gallagher is hopeful that when organizations start applying for the HITECH incentives, they'll realize that "conducting a security risk assessment and doing comprehensive, ongoing security risk management is going to be required of them when they use electronic health records."
Rob Tennant, senior policy adviser at MGMA, says many clinics adopting EHRs "have expected their software vendors to solve their security compliance problems for them. Vendors can help with compliance, but they can't do everything." He called on clinic administrators to "become far more familiar with the security requirements than they are now" and make sure a risk assessment is completed.
"Security has posed a challenge for physician practices far more so than privacy," Tennant says. "Privacy focuses on the interaction of the practice with the patient. Security is very technical in nature, and typically the folks that lead physician practices are not security experts."
But Tennant stresses that security goes beyond technology. "It's more about how you organize the information flow within the practice and outside the practice," he notes. "So, for example, if you have staff with no legitimate need to access patient information, they need to be excluded from access."
EncryptionA majority of the major health information breaches reported to federal authorities so far have involved lost or stolen unencrypted devices or media. But the HIMSS survey found that only 31 percent of respondents had encrypted all of the data on laptops, with 16 percent reporting they've encrypted none of the data.
"Organizations need to ask themselves why there is patient data on portable devices, including laptops, smart phones and PDAs," Gallagher says. In many cases, these devices should be used only to access clinical data that resides on servers, she notes.
"But if it's necessary to have patient data on the devices as part of clinical workflow, my advice is that organizations need to use encryption on those devices."
Clinics pondering how to implement encryption need to pose many questions that begin with "what if," Tennant suggests. For example, "What if a physician had a laptop stolen?"
Tennant argues that encryption "is a very good way to address what could be an enormous, expensive problem." He points out that breaches affecting 500 or more individuals must be reported to the news media as well as federal regulators. "The last thing a practice wants is their name splashed on the front page of the local newspaper. It could really hurt the reputation of the practice and the confidence of patients."
Dealing With BreachesDespite all the publicity surrounding the nearly 190 major health information breaches reported to federal authorities so far, the survey found that only 69 percent of hospitals and clinics have a plan in place to respond to a breach.
"We hope those who lack one are working on it," Gallagher says. "They also need a process for doing the appropriate notifications to patients about a breach."
The survey also found that only one-third of hospitals and 8 percent of clinics have a full-time chief security officer or chief information security officer. Gallagher is hopeful that more hospitals will add the position as they expand their EHR use. She also notes that the survey determined 38 percent of hospitals and clinics have designated another full-time staffer to handle security responsibilities.
See also: Additional coverage of 2010 HIMSS Security Survey results.