Results from the third annual survey of healthcare information technology security officials have been published by the Chicago-based Healthcare Information and Management Systems Society, indicating a significant minority of healthcare organizations, particularly physician practices, is still not performing formal security risk analysis while allocations for security have remained flat over the past three years.
Many outfits skip security risk analysis: study
Also, about one-third of respondents to the survey reported their organizations have experienced at least one known case of medical identity theft.
The Web-based survey, sponsored by Intel Corp., was joined this year by the Medical Group Management Association to provide more information about security issues in the medical group and ambulatory-care areas. There were 272 qualified respondents to the survey this year, compared with 196 last year and 155 in the 2008 survey. A copy of the 47-page survey report is available on the HIMSS website.
According to the report, three-quarters of all respondents indicated that they have performed a risk assessment at their organization and 59% of those who did said they do one annually. But 33% of survey respondents in medical practices reported their organization does not conduct a risk assessment, compared with just 14% of respondents from hospitals.
About half of all respondents reported that their organization spends 3% or less of their organization's IT budget on information security. Those budget numbers have remained virtually unchanged since 2008 while the risk assessment percentage also stayed flat compared with last year's number, something of a disappointment for Lisa Gallagher, senior director of privacy and security at HIMSS.
“The two things that I focused on last year when I talked with everyone had to do with the budgets for security and the percentages that were doing risk assessments,” Gallagher said. “We had long conversations about both of those numbers and they haven't changed.”
Send us a letter