HIMSS: Hospitals spending more to ensure data privacy, security

Privacy and security budgets at most healthcare organizations have increased during the past year, according to responses to HIMSS' fifth annual security survey, unveiled this week. More than half (56 percent) of the 303 health IT and security professionals queried said that their organization has increased the amount of IT budget allocated for information security, although 47 percent of respondents said that their organization spends 3 percent or less of the overall IT budget on such measures.

Still, more than three-fourths of respondents said that their organization conducted formal risk analyses to examine risks to patient data. Of those, nearly two-thirds (64 percent) did so on an a year-to-year basis.

Additionally, 64 percent of overall respondents said that their organization conducted an audit of the IT security plan, with 65 percent of those respondents doing so annually.

"Five years ago, only 54 percent of respondents conducted [risk assessments] on an annual basis," the survey's authors said. "Today, that number is up to nearly three-quarters of respondents. This suggests that not only will more organizations have access to information that will help them better secure electronic information, but they will also have this information available in a more timely fashion."

That conclusion appears to contrast with views expressed by Larry Ponemon to FierceHealthIT last week, following his organization's annual data security report. Ponemon's third-annual study determined that 94 percent of 80 participating healthcare organizations had experienced at least one known data breach in the past two years. The Institute's chairman said that he didn't think there was a "C-level appreciation or support" for dealing with data security.

"Sure, when there are big fines or reputation consequences to losing information, suddenly organizations have a new-found religion," Ponemon said. "We don't see that level of concern or cautiousness that exists in some other industries, like banking, for example."

One-fourth of respondents to the HIMSS survey said that their organization had suffered a data breach in the past year, with most indicating that patients were informed about the breach.

To learn more:
- read the HIMSS survey (.pdf)