The Healthcare Information and Management Systems Society (HIMSS) in November published results of a survey that focused on key issues surrounding the tools and policies in place to secure electronic patient data at healthcare organizations. Though your company may not be in the healthcare industry, read the results discussed below, and think about how they might compare to your organization.
The 2010 HIMSS Security Survey included feedback from information technology and security professionals from healthcare provider organizations across the U.S. Here’s an overview of respondents’ input:
Maturity of Environment: Respondents characterized their environment at a middle rate of maturity.
Security Budget: Approximately half of respondents reported that their organization spends three percent or less of their organization’s IT budget on information security.
Formal Security Position: Slightly more than half (53%) of respondents reported they have either a CSO/CISO or full-time staff in place to handle their organizations’ security functions.
Risk Analysis: Slightly more than half of respondents (59 %) who said that their organization conducts a formal risk analysis reported that this analysis is conducted annually.
Patient Data Access: Surveyed organizations most widely employ user-based and role-based controls to secure electronic patient information.
Management of Security Environment: Nearly all respondents reported that their organization actively works to determine the cause/origin of security breaches. Two thirds reported having a plan in place for responding to threats or incidents related to a security breach.
Security in a Networked Environment: Approximately 85% of respondents reported that their organization shares patient data in an electronic format.
Future Use of Security Technologies: Mobile device encryption, e-mail encryption and single sign-on and were most frequently identified by respondents as technologies that were not presently installed at their organization but were planned for future installation.
Patient Identity: Half of respondents indicated that they validate patient identity by both requiring a government/facility-issued ID and checking the ID against information in the master patient index.
Medical Identity Theft: One-third of respondents reported that their organization has had at least one known case of medical identity theft at their organization.