News Feature | February 27, 2014

Electronic Health Data Breaches Remain Primary Concern

Source: Health IT Outcomes
Christine Kern

By Christine Kern, contributing writer

HIMSS Survey reveals security breaches, identity theft are chief concerns among providers

According to the 2013 HIMSS Security Survey, nearly one in five healthcare provider organizations have experienced a security breach and about one in eight have had at least one case of medical identity theft.

According to HIMSS, the survey – supported by the Medical Group Management Association and underwritten by Experian® Data Breach Resolution – profiles the data security experiences of 283 information technology (IT) and security professionals employed by U.S. hospitals and physician practices. The collected data indicates that the greatest perceived “threat motivator” is the potential for healthcare workers to improperly access the electronic health information of friends, neighbors, spouses or co-workers.

Over half (51 percent) of survey respondents indicated their organizations had increased budgeted spending on security, but 49 percent admitted they spent 3 percent or less of their overall IT budgets on it, an inadequate proportion, according to industry experts. Surprisingly, 92 percent of respondents reported their organizations had actually conducted a formal data-security risk analysis. Roughly 19 percent of respondents reported their organizations had experienced a security breach and 12 percent had a known incident of medical identity theft.

Modern Healthcare reported on the response to the survey and the conclusion there still is not enough attention paid to security. According to Michael “Mac” McMillan, CEO of CynergisTek, the latest HIMSS survey indicates there has been some improvement in security spending since six years ago, when only those “doing a really good job” were spending at 3 percent. Six years ago, spending levels of 2 percent, 1 percent or less were the norm. But even 3 percent is still not enough, McMillan said.

For other industries in which data security is critical—banking, energy, government—“their average spend is between 6 percent and 12 percent,” McMillan said. McMillan also questioned the survey's finding of 92 percent compliance on risk assessments, stating that it didn’t correspond with his experience.

“That's 92 percent of the people who took the survey, not 92 percent of the people in the industry,” he said. “Every week I run across organizations where they haven't done an appropriate risk assessment. I don't believe for a second that applies to the industry as a whole.”

The survey also pinpoints shortcomings within the healthcare industry. Barriers to improving an organization’s security posture included budget, dedicated leadership and the following: 

  • organizations reported an average score of 4.35 regarding the maturity of the security environment (where 1 is not at all mature and 7 is highly mature)
  • nearly half (49 percent) of the survey’s responding organizations are still spending 3 percent or less of their overall IT budget on security initiatives that will secure patient data
  • 52 percent of the hospital-based respondents reported that they had a CSO, CISO or other full-time leader in charge of security of patient data

“Healthcare organizations are increasingly deploying technologies to increase data security, but continued analysis is crucial in ensuring the proactive prevention of data breaches within hospitals and physician practices. Without these anticipatory measures, security of patient data will remain a core challenge within our nation’s healthcare organizations,” said Lisa A. Gallagher, BSEE, CISM, CPHIMS, FHIMSS Vice President, Technology Solutions, HIMSS.