At first glance, the new Booz Allen Hamilton survey of government health IT security readiness is pretty positive.
A full 56 percent of respondents--IT directors and program managers with the U.S. Department of Health & Human Services, the Department of Veterans Affairs and other state and local governments entities--say they're fully compliant with federal security and privacy requirements. Another 65 percent say they have a risk management strategy and action plan for data breaches. And 60 percent say they have a "holistic" security strategy for responding to potential incidents.
The flip side of those numbers, however, show 42 percent to be anywhere from "somewhat compliant" to not compliant with security requirements. Thirty-five percent don't have a risk management plan, or are only just now developing or updating those plans, according to the survey.
Meanwhile, a surprising 39 percent say they would have problems identifying, or knowing exactly how to handle, a security incident.
Those downside statistics are even scarier when you match them up against the 97 percent increase in security or data breaches in 2011, according to security firm Redspin earlier this month. And we recently told you about growing data threats for the industry as a whole and even small organizations.
The survey identified two major risk areas where government IT groups particularly are behind the eight-ball:
- Mobile devices proliferating in the government sector. Nearly 80 percent of respondents say mobile devices are growing in importance in government health organizations, and more than two-thirds say their agencies allow employees to use personal mobile devices for work activities. Still, only about half (53 percent) have a mobile-specific risk management plan for mobile devices, and more than 30 percent say they don't have a mobile plan at all. The study's authors indicated they're a bit skeptical of the maturity of those plans, as well, with many relying simply on encryption protocols rather than a "more fully drawn plan."
- Cloud-based storage and access for PHI-related files. The Office of Management and Budget's reform plan requires federal agencies to migrate services to the cloud, the study's authors point out. But only 36 percent of respondents say they've deployed cloud-based systems, and 50 percent say they haven't even started yet. The authors guess that their reluctance stems from "cloud computing's inherent security vulnerabilities." But nearly 60 percent say they know cloud computing will be important over the coming five years. Government agencies will need to move quickly to "address cloud computing's security issues within [their] broader risk management strategy and action plan," the authors warn.
Overall, the study indicates concern about the depth of government agencies' security readiness, and their ability to "account for the entire lifecyle of data from the moment the data is received," says Natalie Givans, Booz Allen Hamilton senior vice president. Agencies need to do a great deal more to create a "truly holistic plan" that covers policies, training, technology monitoring, audit trails and reporting, and fully developed risk management plans.
"It's now up to healthcare organizations in the government sector to take action," says Deborah Wolf, a Booz Allen executive advisor.
To learn more:
- read the Booz Allen Hamilton announcement
- here's the survey's accompanying white paper (.pdf)