Survey: Risk Analysis Not Universal

Many Hospitals, Clinics Still Haven't Conducted One
Survey: Risk Analysis Not Universal
Although HIPAA requires healthcare organizations to conduct a risk analysis, 14 percent of hospitals and 33 percent of physician group practices have yet to conduct one, a new survey shows.

The 2010 HIMSS Security Survey of 272 IT executives found that 61 percent of hospitals and clinics conduct a formal risk analysis annually or every six months. Last year's survey, which included mainly hospitals, showed 55 percent conducted an assessment that frequently.

Hospitals and clinics that want to qualify for Medicare and Medicaid incentive payments under the HITECH Act electronic health records incentive payment program must conduct a risk analysis and then implement necessary security updates to correct identified security deficiencies.

Chief Information Security Officers

The new survey, conducted by the Healthcare Information and Management Systems Society, sponsored by Intel and supported by the Medical Group Management Association, found that 29 percent of respondents have a chief security officer or chief information security officer, with security officers far more common at hospitals than clinics.

Another 38 percent of hospitals and clinics said other full-time staff handled security functions, with 21 percent relying on part-time staff. But 17 percent of clinics said they handled their security functions exclusively through external resources.

ID Theft Incidents

Other survey highlights include:

  • 38 percent of hospitals and 17 percent of clinics reported they've experienced an incident of medical identity theft;
  • 69 percent of all respondents reported having a plan in place to respond to threats or security breaches, with 27 percent still developing a plan;
  • 46 percent report spending 3 percent or less of their IT budget on information security;
  • 53 percent said the percentage of their IT budget dedicated to information security increased in the past year, and 43 percent said that the looming federal EHR incentives facilitated an increase in their security budget;
  • Regarding encryption, 62 percent said they have encrypted at least half of the data on laptops in their organization, with 31 percent having encrypted all of the data;
  • 24 percent have encrypted at least half of the data on desktop computers, 33 percent on servers, 52 percent on backup tapes and 38 percent on e-mail;
  • More than half of hospitals reported using two or more types of controls to manage data access, compared to 40 percent of clinics. The most common were user-based and role-based controls;
  • Mobile device encryption, e-mail encryption and single sign-on were most frequently identified as technologies not now in place but planned for future installation.

See also: Complete analysis of the survey results.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.