HIMSS: Quarter of practices don't have security requirements

By Molly Merrill
10:08 AM

Medical practices have work to do when it comes to conducting risk analysis – an objective required for meeting meaningful use – according to the 2010 HIMSS Security Survey.

The survey, which was sponsored by Intel and supported by MGMA, polled 272 healthcare information technology and security professionals, one quarter of which indicated that they worked for a medical practice.

According to the survey, 75 percent of all respondents stated they perform a risk assessment at their organization, similar to the findings of the 2009 survey. However, this year's survey included a greater representation of medical practices, where twice as many respondents reported that their practice does not conduct a risk analysis (33 percent) compared to those who work at a hospital (14 percent).

The meaningful use objective stipulates that eligible hospitals and eligible providers must protect electronic health information created or maintained by the electronic health record by conducting or reviewing a security risk analysis. And these organizations must implement necessary security updates and correct identified security deficiencies as part of the risk management process.

"Meaningful use objectives are now in place, so hospitals and medical practices have an important new requirement that must be followed to ensure the protection of patient health information and achieve meaningful use," said Lisa Gallagher, senior director, privacy and security, for HIMSS.

Key findings of the survey include:

  • Respondents working for a hospital were more likely to report they had a chief security officer or chief information security officer in place compared to individuals working in a medical practice. In fact, 17 percent of respondents working for medical practices indicated that they handled the security function exclusively by using external resources. None of the respondents from hospitals reported using external resources exclusively.
  • More than half of respondents from hospital organizations reported using two or more types of controls to manage data access compared to 40 percent of respondents from medical practices. The surveyed organizations also reported user-based and role-based controls as the most widely used controls to secure electronic patient information.
  • Almost all of the respondents reported their organization actively works to determine the cause of security breaches with two-thirds having a plan in place to responding to these threats. However, respondents from hospital organizations were more likely to report they worked to determine the cause of security breaches than were respondents in medical practices.
  • About 85 percent of respondents said that their organization shares patient data in an electronic format. However, hospital respondents (83 percent) compared to their medical practice counterparts (77 percent) are more likely to share data in the future.
  • Mobile device encryption, e-mail encryption and single sign-on were most frequently identified by respondents as technologies not currently installed at their organizations but were planned for future installation. Respondents from hospitals not using these technologies, compared to medical practices, are more likely to report installing them in the future.
  • Those working for medical practices were less likely to report an instance of medical identity theft occurred at their organization (17 percent) compared to those working for a hospital (38 percent). Among all respondents, 33 percent reported that their organization had at least one known case of medical identity theft.
  • Respondents placed their environment at middle rate of security with an average of 4.43 on a scale of one to seven, where one is not at all mature and seven is a high level of maturity.
  • Among the respondents, little difference appeared by organization type in the security budget. About half of respondents indicated their organization spends three percent or less of the organization's IT budget on information security, a similar response to the 2009 results. However, respondents indicated that their security budget increased in the last year due to federal incentives.
  • Half of respondents indicated they validate patient identity by requiring both a government/facility-issued ID and checking the ID against information in the master patient index.

"As the survey results indicate, one-quarter of the sample population would not qualify for meaningful use incentives based on not having a process to conduct risk analysis. With almost 80 percent of respondents indicating that they would share electronically stored data outside of their organizations, healthcare organizations must ensure that proper security protections are operative and based on an ongoing risk analysis process," Gallagher noted.