Last month we discussed the high expectations that would be put on healthcare IT this year. Only 2 months into the year and we are already starting to see signs of this, coming after the release of the 2013 HIMSS Security Survey. Our government has gotten involved with initiatives like OCR audits, Meaningful Use and HIPAA Omnibus Rule which encourage increasing healthcare IT budgets and their resources dedicated to securing patient/personal healthcare information (PHI).
The survey itself is a profile of 283 IT and security professionals in healthcare (U.S.) and their data security experiences. Overall, it was determined that the greatest motivator behind data breaches in healthcare is inappropriate data access. For example, healthcare employees accessing the PHI of their neighbors, friends, family, spouses, etc.
Recently there has been an increase in defenses against this, such as user access controls and the logging and auditing of accessed information, but it is still a major issue.
More than half of the respondents (51 percent to be exact) said that their IT budget was increased over the previous year’s budget. However, 49 percent of those organizations are only devoting less than 3 percent of their overall budget toward security.
The survey also revealed some other interesting facts:
-92 percent of organizations conduct a formal risk analysis.
-54 percent of these organizations report having a data breach response plan that has been tested, 63 percent of those actually test their plan annually.
-Surprisingly, 93 percent of organizations report that they are collecting and analyzing data from audit logs.
-To go with the above statistic, healthcare organizations are using methods to track what kind of information is accessed and by whom. 67 percent of organizations are using two methods, user-based and role-based controls.
These are all positive signs that data breaches are being taken more seriously than ever, but there are still short comings that need to be addressed. As mentioned earlier, nearly half (49 percent) of the respondents are still only spending 3 percent or less of their overall IT budget on patient data security. And only 52 percent said that they had a full-time person (CSO, CISO, etc.) that was directly in charge of patient data security.
So healthcare organizations are starting to pick up the slack but there is still a long way to go. Using the help and knowledge of certified vendors in this field is a great way to make sure that you are taking the necessary steps to protect your patient’s data and to indemnify your organization if a breach were to occur.