Nearly 1 in 5 healthcare provider organizations have experienced a security breach and about 1 in 8 have had at least one case of medical identity theft, according to a survey by the Healthcare Information and Management Systems Society
, with support from the Medical Group Management Association
More than half (51%) of survey respondents indicated their organizations had increased budgeted spending on security
, but about half (49%) reported spending 3% or less of their overall IT budgets on it, which is less than adequate, according to industry experts. In a surprising finding, 92% of respondents reported their organizations had conducted a formal data-security risk analysis. Roughly 19% of respondents reported their organizations had experienced a security breach and 12% had a known incident of medical identity theft.
“Healthcare organizations are increasingly deploying technologies to increase data security, but continued analysis is crucial in ensuring the proactive prevention of data breaches within hospitals and physician practices,” said Lisa Gallagher, vice president of technology solutions for HIMSS
, in a release. “Without these anticipatory measures, security of patient data will remain a core challenge within our nation's healthcare organizations.”
The Web-based survey
, the sixth annual by HIMSS, a Chicago-based health information technology industry trade group, was taken by 283 IT and security experts at U.S. hospitals and medical group practices. It was conducted during the fourth quarter of 2013. The survey was funded by Experian Data Breach Resolution, an arm of the credit-reporting agency.
Michael “Mac” McMillan, CEO of CynergisTek, an Austin, Texas-based healthcare data security firm, said the latest HIMSS survey indicates there has been some improvement in security spending since six years ago, when only those “doing a really good job” were spending at 3%. Six years ago, spending levels of 2%, 1% or less were the norm. But even 3% is still not enough, McMillan said
For other industries in which data security is critical—banking, energy, government—“their average spend is between 6% and 12%,” McMillan said.
The survey's 92% compliance finding on risk assessments, McMillan said, doesn't jibe with his experience.
“That's 92% of the people who took the survey, not 92% of the people in the industry,” he said. “Every week I run across organizations where they haven't done an appropriate risk assessment. I don't believe for a second that applies to the industry as a whole.”Follow Joseph Conn on Twitter: @MHJConn