Healthcare Security Progress Lacking

Many Hospitals, Clinics Have a Long Way to Go, Survey Confirms
Healthcare Security Progress Lacking
The 2010 HIMSS Security Survey confirms that healthcare organizations are making inadequate progress on ensuring the security of electronic health records and other patient information, says security expert Lisa Gallagher.

Gallagher, senior director for privacy and security at the Healthcare Information and Management Systems Society, says continued low spending on information security in healthcare is disappointing. For the third year in a row, the HIMSS survey found that roughly half of healthcare organizations spend 3 percent or less of their IT budgets on security.

"We would have liked to have seen this improve year over year, given that we know that this percentage is fairly low when compared to other industries, where the average is 5 percent," Gallagher says.

Security budgets are low in spite of the HITECH Act, which established tougher penalties for violating the HIPAA privacy and security rules.

The new security survey, sponsored by Intel and supported by the Medical Group Management Association, generated 272 replies from IT executives at hospitals and medical practices.

Risk Assessments

Also disappointing, Gallagher says, was the new survey's finding that 14 percent of hospitals and 33 percent of clinics have yet to conduct a risk analysis. "It's really indicative of a less than mature process for securing patient data," she says.

HIPAA requires that healthcare organizations conduct such an assessment. And hospitals and clinics that want to qualify for Medicare and Medicaid incentive payments under the HITECH Act electronic health records incentive payment program must conduct a risk analysis and then implement necessary security updates to correct identified security deficiencies.

Some smaller clinics might lack the resources or expertise to conduct a risk analysis, Gallagher acknowledges. Nevertheless, she says that some hospitals and clinics fail to understand the benefits of an analysis, which can help organizations pinpoint areas where patient information is at risk and help identify ways to remediate that risk.

Gallagher is hopeful that when organizations start applying for the HITECH incentives, they'll realize that "conducting a security risk assessment and doing comprehensive, ongoing security risk management is going to be required of them when they use electronic health records."

Rob Tennant, senior policy adviser at MGMA, says many clinics adopting EHRs "have expected their software vendors to solve their security compliance problems for them. Vendors can help with compliance, but they can't do everything." He called on clinic administrators to "become far more familiar with the security requirements than they are now" and make sure a risk assessment is completed.

"Security has posed a challenge for physician practices far more so than privacy," Tennant says. "Privacy focuses on the interaction of the practice with the patient. Security is very technical in nature, and typically the folks that lead physician practices are not security experts."

But Tennant stresses that security goes beyond technology. "It's more about how you organize the information flow within the practice and outside the practice," he notes. "So, for example, if you have staff with no legitimate need to access patient information, they need to be excluded from access."


A majority of the major health information breaches reported to federal authorities so far have involved lost or stolen unencrypted devices or media. But the HIMSS survey found that only 31 percent of respondents had encrypted all of the data on laptops, with 16 percent reporting they've encrypted none of the data.

"Organizations need to ask themselves why there is patient data on portable devices, including laptops, smart phones and PDAs," Gallagher says. In many cases, these devices should be used only to access clinical data that resides on servers, she notes.

"But if it's necessary to have patient data on the devices as part of clinical workflow, my advice is that organizations need to use encryption on those devices."

Clinics pondering how to implement encryption need to pose many questions that begin with "what if," Tennant suggests. For example, "What if a physician had a laptop stolen?"

Tennant argues that encryption "is a very good way to address what could be an enormous, expensive problem." He points out that breaches affecting 500 or more individuals must be reported to the news media as well as federal regulators. "The last thing a practice wants is their name splashed on the front page of the local newspaper. It could really hurt the reputation of the practice and the confidence of patients."

Dealing With Breaches

Despite all the publicity surrounding the nearly 190 major health information breaches reported to federal authorities so far, the survey found that only 69 percent of hospitals and clinics have a plan in place to respond to a breach.

"We hope those who lack one are working on it," Gallagher says. "They also need a process for doing the appropriate notifications to patients about a breach."

The survey also found that only one-third of hospitals and 8 percent of clinics have a full-time chief security officer or chief information security officer. Gallagher is hopeful that more hospitals will add the position as they expand their EHR use. She also notes that the survey determined 38 percent of hospitals and clinics have designated another full-time staffer to handle security responsibilities.

See also: Additional coverage of 2010 HIMSS Security Survey results.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.