CHICAGO (November 3, 2010) - In the year since the American Recovery and Reinvestment Act of 2009 passed, new meaningful use objectives have been identified for eligible hospitals (EH) and eligible providers (EP) to qualify for incentive funds, rules known as the Electronic Health Record Incentive Program were issued by the Centers for Medicare and Medicaid Services (CMS). One of these rules stipulates that eligible hospitals and eligible providers mustprotect electronic health information created or maintained by the electronic health record by conducting or reviewing a security risk analysis. And these organizations must implement necessary security updates and correct identified security deficiencies as part of the risk management process.
Results from the 2010 HIMSS Security Survey, sponsored by Intel and supported by MGMA, found that 75 percent of all respondents stated they perform a risk assessment at their organization, similar to the findings of the 2009 survey. However, this year's survey includes a greater representation of medical practices, where twice as many respondents reported that their practice does not conduct a risk analysis (33 percent) compared to those who work at a hospital (14 percent).
- Further highlights of responses from hospital and medical practice respondents include:
- Formal Security Position: Those working for a hospital were more likely to report they had a Chief Security Officer or Chief Information Security Officer in place compared to individuals working in a medical practice. In fact, 17 percent of respondents working for medical practices indicated that they handled the security function exclusively by using external resources. None of the respondents from hospitals reported using external resources exclusively.
- Patient Data Access: More than half of respondentsfrom hospital organizations reported using two or more types of controls to manage data access compared to 40 percent of respondents from medical practices. The surveyed organizations also reported user-based and role-based controls as the most widely used controls to secure electronic patient information.
- Management of Security Environment: Almost all of the respondents reported their organization actively works to determine the cause of security breaches with two-thirds having a plan in place to responding to these threats. However, respondents from hospital organizations were more likely to report they worked to determine the cause of security breaches than were respondents in medical practices.
- Security in a Networked Environment: About 85 percent of respondents said that their organization shares patient data in an electronic format. However, hospital respondents (83 percent) compared to their medical practice counterparts (77 percent) are more likely to share data in the future.
- Future Use of Security Technologies: Mobile device encryption, e-mail encryption and single sign-on were most frequently identified by respondents as technologies not currently installed at their organizations but were planned for future installation. Respondents from hospitals not using these technologies, compared to medical practices, are more likely to report installing them in the future.
- Medical Identity Theft: Those working for medical practices were less likely to report an instance of medical identity theft occurred at their organization (17 percent) compared to those working for a hospital (38 percent). Among all respondents, 33 percent reported that their organization had at least one known case of medical identity theft.
- Maturity of Environment: Respondents placed their environment at middle rate of security with an average of 4.43 on a scale of one to seven, where one is not at all mature and seven is a high level of maturity.
- Security Budget: Among the respondents, little difference appeared by organization type in the security budget. About half of respondents indicated their organization spends three percent or less of the organization's IT budget on information security, a similar response to the 2009 results. However, respondents indicated that their security budget increased in the last year due to federal incentives.
- Patient Identity: Half of respondents indicated they validate patient identity by requiring both a government/facility-issued ID and checking the ID against information in the master patient index.
"Meaningful use objectives are now in place, so hospitals and medical practices have an important new requirement that must be followed to ensure the protection of patient health information and achieve meaningful use," said Lisa Gallagher, BSEE, CISM, CPHIMS, Senior Director, Privacy and Security, for HIMSS. "As the survey results indicate, one-quarter of the sample population would not qualify for meaningful use incentives based on not having a process to conduct risk analysis. With almost 80 percent of respondents indicating that they would share electronically stored data outside of their organizations, healthcare organizations must ensure that proper security protections are operative and based on an ongoing risk analysis process."
Targeting Chief Information Officers, Chief Security Officers and other information technology executives, the 2010 HIMSS Security Survey focused on the readiness for today's risks and security challenges with an assessment of 272 healthcare information technology and security professionals, one quarter of which indicated that they worked for a medical practice.