CHICAGO – Results from the 2011 HIMSS Security Survey show that three-quarters of all survey respondents reported their organization performs a risk assessment to evaluate the risks to patient data.

In the four years that HIMSS has been studying the security environments of healthcare organizations, the percent of respondents that have conducted a risk assessment has remained consistent at approximately three-quarters of respondents. Of concern, as in previous years, are the one-quarter of responding organizations that do not conduct a security risk assessment at all, HIMSS officials note in the report’s executive summary.

Healthcare organizations required to conduct a risk analysis, as a result of meaningful use criteria, also must correct deficiencies identified during the risk analysis process.

The study suggests that those respondents that are conducting a risk assessment are taking action based on the results of the risk assessment, according to HIMSS findings. For example, more than 80 percent of respondents used this information to determine which security controls should be put into place. Further, risk assessment results were also used to identify gaps in existing security controls, policies and/or procedures. This enables organizations to actively take steps to correct deficiencies.

Other key survey results include:

• Maturity of the Security Environment. Using a scale of one to seven, where one is not at all a mature security environment and seven is highly mature, respondents recorded an average score of 4.23. This is fairly consistent with what has been reported in previous years.
• Security Budget. The majority of respondents reported that they spent three percent or less of their overall IT budget on information security. More than half of respondents  (59 percent) indicated that the IT budget dedicated to information security has increased in the past year.
• Oversight of Information Security. Approximately half of respondents reported they have either a Chief Security Officer (CSO)/Chief Information Security Officer (CISO) or full-time staff in place to handle their organizations’ security functions. Those working for a corporate organization or hospital were more likely to report that they had a CSO/CSIO in place compared to individuals working for medical practices. Respondents working for medical practices were more likely to indicate that they handled their security function using outsourced or part-time resources.
• Employee/Patient Data Access. Nearly all respondents reported their organization monitors how their employees are accessing electronic patient information. Role-based and user-based controls were reported to be most widely used. Approximately two-thirds of respondents noted that their organization provides information that is electronically stored to patients, surrogates and/or designated others.
• Audit Logs. Nearly all of the respondents reported that their organization collects and analyzes audit log information from at least one system in their organization, with firewall logs being the most common source of audit log data. Audit log data is most widely used for policy compliance monitoring.
• Security in a Networked Environment. Approximately 82 percent of respondents reported that their organization shares patient data in an electronic format with external organizations. Data is most frequently shared with other facilities within their corporate entity, third party service providers and state government entities.
• Future Use of Security Technologies. The survey reports that healthcare organizations considering making a security purchase were most likely to identify data loss prevention, e-mail encryption and single-sign on as potential future procurement. Approximately one-quarter of all healthcare organizations in the survey plan to purchase these technologies.
• Patient Identity. Most respondents reported that their organizations’ validate the identity of patients at the time of a patient encounter. Use of a government or facility- issued photo ID was the most frequently reported means of validation. Approximately half of respondents use a formal reconciliation process to identify records in their master person index.
• Medical Identity Theft. Fourteen percent of respondents reported that their organization has had at least one known case of medical identity theft reported by a patient in the previous 12 months. Those working for corporate entities were more likely to report a breach, compared to those working at medical practices or hospitals.