Healthcare information technology executives are less concerned about the threat of medical identify theft in their organizations but have considered addressing the impact of stolen personal data in their overall security and privacy policies, according to results from the Healthcare Information and Management Systems Societys annual security survey.
Overall, survey results paint a picture of organizations that use a variety of security tools to protect information while dedicating only a small portion of their IT budgetsless than 3%to information security. Protecting information as it is shared electronically across organizations and government agencies also has become a higher priority, according to the survey. The 2008 HIMSS Security Survey had 155 respondents from a range of healthcare facilities including hospitals, health systems and ambulatory facilities.
Of the respondents, 48% said they conduct a formal risk analysis of their security systems annually, while 27% said they conduct reviews every two years. A small number, 6%, said that they conduct reviews every six months. Within IT budgets, 1% to 3% is dedicated to security, according to 36% of the respondents. Another 21% said less than 1% of their IT budgets are spent on security, according to the results.
Identity theft is emerging as a real issue, HIMSS said in its survey. About 20% of respondents reported at least one case of theft, and 44% said they have a plan in place to report security breaches, according to the survey. The Office of the National Coordinator for Health Information Technology recently awarded a $450,000 contract to Booz Allen Hamilton to evaluate the scope of medical identity theft in the U.S., and held a daylong town hall meeting that indicated a wide lack of systematic information about the issue.