CHICAGO – Want to know how you stack up against your peers in terms of information security?

Then be sure to tune in to “The HIMSS Security Survey: Insights into the Status of Healthcare Security Implementations” this afternoon at 2:15pm CT.

HIMSS conducted a survey from August 2009 to October 2009, with respondents being asked to characterize their organization’s readiness for today’s risks and security challenges, said Jennifer Horowitz, senior director of Research for HIMSS Analytics.  This survey was sponsored by Symantec.

The results, from a total of 196 responses, will be presented by Lisa Gallagher, senior director of Privacy & Security for HIMSS, Horowitz and David Finn, health information technology officer for Symantec.

Highlights from the survey, which will be discussed in detail during the webinar, include:

• Respondents characterized the maturity of their organization’s security program as mid-level, or 4.27 on a scale of one to seven where one is low and seven is high.
• Nearly one-quarter (21 percent) stated that they spent less than one percent of their budget on information security. Another 40 percent reported that their organization spends between one and three percent of their budget on information security – a metric that has remained relatively unchanged in the past year.
• Fewer than half of the respondents indicated that their organization has a formally designated Chief Information Security Officer or Chief Security Officer.
• Only three-quarters conduct a formal risk assessment (and only half of these conduct this assessment on a yearly basis or more frequently), which has remained the same in the past year. Three-quarters of organizations who did conduct risk assessments found patient data at risk due to inadequate security controls, policies and processes. One-third of respondents reported that their organization has had at least one known case of medical identity theft.
• Healthcare organizations are not always using available technologies to secure data, such as data encryption and data loss prevention

“These results are somewhat concerning as the operating environment is becoming increasingly complex, due to an increase in adoption of health IT and a complex threat environment,” said Gallagher. “This puts the data at a higher risk of exposure in the future, as more data is housed electronically.”

The survey also assessed healthcare organizations’ ability to comply with the new privacy statutes in the American Recovery and Reinvestment Act (ARRA), as well as related upcoming regulation from the Dept. of Health and Human Services. Under ARRA, healthcare organizations are required to provide notification of data breaches to the patient (as well as HHS and the public in some circumstances) and provide accounting of all disclosures of protected health information upon patient request (for the three years prior to the request).

Most of the healthcare organizations of the survey respondents use audit logs. Currently, only a quarter of the respondents reported that all analysis of log data is done entirely electronically. “Without some type of automated assistance to detect breaches and analyze log data, organizations may not be equipped to provide patients with proper breach notification,” said Finn. “In addition, they may have difficulty producing a clear and accurate accounting of disclosures.”

Healthcare organizations today face increasing challenges as they are being urged to adopt electronic health records in the midst of a complex legal, regulatory and risk environment. To effectively secure patient data, it is important that organizations appropriately resource and manage their security initiatives. Trends as reflected in the survey results indicate that organizations are currently required to be extremely efficient in terms of how they are using their security resources and that much work still remains to be done in order to adequately protect health data.