Results of the 2013 HIMSS Security Survey show that, despite progress toward hardened security and use of analytics, more work must be done to mitigate insider threat, such as the inappropriate access of data by employees. Although federal initiatives such as OCR audits, meaningful use and the HIPAA Omnibus Rule continue to encourage healthcare organizations to increase the budgets and resources dedicated to securing patient health data, in the previous 12 months, 19 percent of respondents reported a security breach and 12 percent of organizations have had at least one known case of medical identity theft reported by a patient.
The 2013 HIMSS Security Survey, supported by the Medical Group Management Association and underwritten by Experian Data Breach Resolution, profiles the data security experiences of 283 information technology (IT) and security professionals employed by U.S. hospitals and physician practices. The data from respondents suggests that the greatest perceived “threat motivator” is that of healthcare workers potentially snooping into the electronic health information of friends, neighbors, spouses or co-workers (i.e., inappropriate data access).
Recognizing inappropriate data access by insiders as an area for which organizations are at risk of a security breach, there has been increased use of several key technologies related to employee access to patient data, including user access control and audit logs of each access to patient health records. On a related note, although more than half of the survey’s respondents (51 percent) have increased their security budgets in the past year, 49 percent of these organizations are still spending 3 percent or less of their overall IT budget on security initiatives that will secure patient data.
“Our collaboration with HIMSS for the sixth annual security survey has provided insight into the current state of security within provider organizations,” said Michael Bruemmer, vice president for Experian Data Breach Resolution. “Though progress is noticeable, it is critical that healthcare organizations put in place a comprehensive plan that addresses potential security threats – whether internal or external – to prevent electronic health data breaches and minimize the impact of a breach should one occur.”
Other key findings from the survey include the following:
- 92 percent of organizations conduct a formal risk analysis.
- 54 percent of organizations report having a tested data breach response plan; 63 percent of these organizations test their plan annually.
- 93 percent of organizations indicate their organization is collecting and analyzing data from audit logs.
- Healthcare organizations are using multiple means of controlling employee access to patient information; 67 percent of survey respondents use at least two mechanisms, such as user-based and role-based controls, for controlling access to data.
The survey also pinpoints shortcomings within the healthcare industry. Barriers to improving an organization’s security posture included budget, dedicated leadership and the following:
- Organizations reported an average score of 4.35 regarding the maturity of the security environment (where 1 is not at all mature and 7 is highly mature).
- Nearly half (49 percent) of the survey’s responding organizations are still spending 3 percent or less of their overall IT budget on security initiatives that will secure patient data.
- 52 percent of the hospital-based respondents reported that they had a CSO, CISO or other full-time leader in charge of security of patient data.
“Healthcare organizations are increasingly deploying technologies to increase data security, but continued analysis is crucial in ensuring the proactive prevention of data breaches within hospitals and physician practices. Without these anticipatory measures, security of patient data will remain a core challenge within our nation’s healthcare organizations,” said Lisa A. Gallagher, BSEE, CISM, CPHIMS, FHIMSS vice president, technology solutions, HIMSS.
For more information on the survey results:
- Read the complete report on the 2013 HIMSS Security Survey, collaborative research from HIMSS and Experian.
- Download the survey infographic for a visual summary of the results.