The trusted source for
healthcare information and
Most hospitals have full-time risk assessments
These were some key results from the recent survey conducted by the Healthcare Information and Management Systems Society (HIMSS):
Medical identity theft: One-third of respondents reported that their organization has had at least one known case of medical identity theft at their organization. Those working for a medical practice were much less likely to report that an instance of medical identity theft occurred at their organization (17%), when compared to those working for a hospital organization (38%).
Patient identity: Half of respondents indicated that they validate patient identity by requiring a government/facility-issued ID and checking the ID against information in the master patient index. A similar percent reported that they have a formal process for reconciling duplicate records in their master patient index.
Maturity of environment: Respondents characterized their environment at a middle rate of maturity, with an average score of 4.43 on a scale of 1 to 7, where one is not at all mature and seven is a high level of maturity. Maturity refers to the organization's adoption of security measures.
Security budget: About half of respondents reported that their organization spends 3% or less of their organization's IT budget on information security. However, while this was consistent with what was reported last year, many respondents indicated that their budget actually increased in the past year, primarily as a result of federal initiatives. There is little difference in response in this area by organization type.
Formal security position: Slightly more than half (53%) of respondents reported they have a chief security officer or full-time staff in place to handle their organizations' security function. Those working for a hospital were more likely to report that they had a chief security officer in place compared to individuals working for medical practices. Also, while 17% of respondents working for medical practices indicated that they handled their security function exclusively using external resources. None of the respondents from the hospitals reported that they used external resources exclusively.
Risk analysis: Slightly more than half of respondents (59%) that reported that their organization conducts a formal risk analysis indicated that this type of analysis is conducted annually. Susceptibility to internal threats and external threats are nearly universally included in the risk analysis.
Patient data access: Surveyed organizations most widely use user-based and role-based controls to secure electronic patient information. User-based security requires the user to log on with credentials such as a username and password, whereas role-based security restricts access to authorized people in certain roles. More than half of respondents from hospital organizations reported that they used two or more types of controls to manage data access, compared to 40% percent of respondents from medical practices. About half of respondents reported that their organization allows patients/surrogates to access electronic patient information.
Management of security environment: Nearly all respondents reported that their organization actively works to determine the cause/origin of security breaches, and two-thirds reported having a plan in place for responding to threats or incidents related to a security breach. Respondents working for the hospital organizations in this sample were more likely to report that they worked to determine the cause/origin of security breaches than were their counterparts at medical practices.
Security in a networked environment: About 85% of respondents reported that their organization shares patient data in an electronic format. Data is most frequently shared with third party providers, state government, third party providers and other facilities within the corporate organization. While respondents from hospitals are somewhat more likely to report (83%) that they will share data in the future than are those from medical practices (77%), the likelihood of data sharing in the future is high among both groups.
Future use of security technologies: Mobile device encryption, e-mail encryption, and single sign on and were most frequently identified by respondents as technologies that were not presently installed at their organization but were planned for future installation. Respondents from hospitals that were not presently using these technologies are more likely to report expectations that they would install them in the future, compared to respondents in medical practices.