Healthcare organizations continue to increase spending to secure electronic patient data, with physician practices boosting their efforts, according to a new HIMSS security survey.
The poll of 283 IT and security professionals employed by hospitals and physician practices found organizations using a wide variety of technologies to secure data and conducting routine testing, such as risk analyses and IT security plan audits. However, it also unearthed some alarming facts--just 17 percent said data was encrypted on mobile medical devices, such as a wireless-enabled monitoring device.
Nineteen percent of respondents reported that they had a security breach in the past year.
Among other results:
- Only half reported having a full-time staff member devoted to overseeing information security initiatives.
- Half report spending 3 percent or less of their overall IT budget on security patient data. Physician practices report spending a higher percentage than hospitals.
- Eighty percent named staff snooping on the information of others--spouses, co-workers or friends--as a threat motivator. Two-thirds also pointed to financial identity theft and half listed medical identity theft.
- Use of key technologies to control employee access to patient data has increased, including user access controls and audit logs. And more organizations are using multiple means to control employee access to patient information.
- 92 percent reported their organization conducts a formal risk analysis. Among physician practices, those doing so grew from 65 percent in 2012 to 78 percent in 2013.
- Fifty-four percent reported testing their data breach response plan, with hospitals more likely to do so.
- In rating their security environment on a scale of one to seven, the average score was 4.35, a slight decrease from last year.
A cybersecurity report from The SANS Institute published this week said the healthcare industry's cybersecurity strategies and controls are fallen lagging, with networks and Internet-connected devices being compromised at an "alarming" rate. HIPAA compliance does not equal security, it pointed out.
At the same time, penalties for failing to protect patient data are growing. A new ruling means organizations could be dinged by both the Office for Civil Rights and the Federal Trade Commission for a data breach.
To learn more:
- find the survey (.pdf)