Groups add to privacy, security budgets
December 13, 2012 in Medical Technology
The majority of healthcare organizations across the U.S. have increased their privacy and security budgets according to a new HIMSS survey released Wednesday. Officials say, however, many of the groups’ allocated budgets still fall short.
Findings of the 2012 Security Survey also highlight that healthcare groups are hiring more security staff and conducting risk analysis on an annual basis. Survey findings were announced at the Healthcare IT News/HIMSS Media Privacy Security Forum in Boston.
[See also: Biggest healthcare data breaches of 2012]
Although both hospitals and medical practices across the country have continued to increase their privacy and security budgets over the past five years, officials say the percentage of the budget dedicated to these issues is still cause for concern. “Over the last five years, we see a significant portion of the organizations say that their privacy and security funding is between 1 and 3 percent of their budget,” says Lisa Gallagher, senior director of privacy and security for HIMSS. “That’s still a pretty concerning number.”
Bob Krenek, senior director at Experian Data Breach Resolution, says one of the biggest disconnect for providers surrounding privacy and security is not always the technology implementation, but rather involves the lack of policy procedures in place. “Policy is as important as putting the programs in place,” he says. He mentions many healthcare organizations now perform mock data breaches for unknowing staff, who are required to make the calls and follow specific data breach procedures.
According to data from the Department of Health and Human Services (HHS), some 21 million patient records have been compromised in healthcare data breaches since 2009. What’s even more concerning, Gallagher adds, is that “data breaches involving 499 or fewer are not counted in the HHS final count.” She estimated that somewhere between 40-45 million patient records might have been compromised. The number can’t be confirmed, as the data isn’t all there, she adds, but it’s a more accurate number based on healthcare organizations’ reporting.
Other survey findings include:
- Some 90 percent of hospitals conduct regular risk analysis compared with the 65 percent of medical practices that do so.
- Nearly half (43 percent) of survey respondents test their data breach response plans, with 81 percent saying they test their plans annually.
- Some 64 percent of respondents test their IT security plan, with 78 percent testing them annually.
- Data and security tools are widely used among hospitals and medical practices, with more than 97 percent having firewall tools and some 92 percent having user access controls. Disaster recovery, offsite storage, wireless security protocols, electronic signatures security tools were also used by more than 71 percent of respondents overall.
- Certain tools had lower adoption rates, however, specifically among medical practices. Intrusion prevention and detection, for example, had adoption rates of only 36 percent – this in comparison to the more than 71 percent of hospitals that currently use these tools.