Survey: Risk Analysis Not UniversalMany Hospitals, Clinics Still Haven't Conducted One
The 2010 HIMSS Security Survey of 272 IT executives found that 61 percent of hospitals and clinics conduct a formal risk analysis annually or every six months. Last year's survey, which included mainly hospitals, showed 55 percent conducted an assessment that frequently.
Hospitals and clinics that want to qualify for Medicare and Medicaid incentive payments under the HITECH Act electronic health records incentive payment program must conduct a risk analysis and then implement necessary security updates to correct identified security deficiencies.
Chief Information Security OfficersThe new survey, conducted by the Healthcare Information and Management Systems Society, sponsored by Intel and supported by the Medical Group Management Association, found that 29 percent of respondents have a chief security officer or chief information security officer, with security officers far more common at hospitals than clinics.
Another 38 percent of hospitals and clinics said other full-time staff handled security functions, with 21 percent relying on part-time staff. But 17 percent of clinics said they handled their security functions exclusively through external resources.
ID Theft IncidentsOther survey highlights include:
- 38 percent of hospitals and 17 percent of clinics reported they've experienced an incident of medical identity theft;
- 69 percent of all respondents reported having a plan in place to respond to threats or security breaches, with 27 percent still developing a plan;
- 46 percent report spending 3 percent or less of their IT budget on information security;
- 53 percent said the percentage of their IT budget dedicated to information security increased in the past year, and 43 percent said that the looming federal EHR incentives facilitated an increase in their security budget;
- Regarding encryption, 62 percent said they have encrypted at least half of the data on laptops in their organization, with 31 percent having encrypted all of the data;
- 24 percent have encrypted at least half of the data on desktop computers, 33 percent on servers, 52 percent on backup tapes and 38 percent on e-mail;
- More than half of hospitals reported using two or more types of controls to manage data access, compared to 40 percent of clinics. The most common were user-based and role-based controls;
- Mobile device encryption, e-mail encryption and single sign-on were most frequently identified as technologies not now in place but planned for future installation.
See also: Complete analysis of the survey results.