Survey: Mixed Bag on Security Readiness

Register now

An updated biannual report from the HIMSS Analytics research unit of the Healthcare Information and Management Systems Society in Chicago shows health organizations take data security compliance seriously but may be missing the big picture.

Kroll Fraud Solutions, Nashville, Tenn., commissioned the "2010 HIMSS Analytics Report: Security of Patient Data," which follows a similar report issued in April 2008. The new report issued on April 5 covers the results of 250 health professionals surveyed in December 2009.

Respondents rated their organizations high in complying with existing laws and regulations, averaging a score above 6 on a scale of 1-7 for CMS regulations, HIPAA, state security laws and the Red Flags rule, and 5.75 for HITECH Act security provisions. Yet 19 percent reported a data breach in the past year, up from 13 percent in the survey two years ago.

"On one hand, health care organizations are demonstrating increased awareness of the state of patient data security as a result of heightened regulatory activity and increased compliance," says Brian Lapidus COO at Kroll Fraud Solutions. "On the other, organizations are so afraid of being labeled 'noncompliant' that they overlook the bigger elephant in the room, the still-present risk and escalating costs associated with a data breach. We need to shift the industry focus from a 'check box' mentality around compliance to a more comprehensive, sustained look at data security."

Survey respondents rated their preparedness for a breach very high--an average of 6.6 on a scale of 1-7. Yet they continue to think of data security in specific silos, according to results. For instance, 87 percent said they have policies to monitor access and sharing of electronic health information, but most breaches involve low-tech incidents such as stolen laptops and back-up tapes, and improperly disposed documents.

Sixty percent of respondents require third-party vendors to provide proof of employee training, but only half require the vendors to provide proof of employee background checks.

Forty-five percent of survey respondents were health information management professionals, 25 percent were senior I.T. executives, 25 percent were compliance and privacy officers, 4 percent were chief security officers, and 1 percent was associated with information management. Most came from small to mid-sized health care facilities.

The report, and information on an accompanying Webcast on April 15, are available at Registration is required.

--Joseph Goedert


For reprint and licensing requests for this article, click here.