Results from the 2010 HIMSS Security Survey, sponsored by Intel, and supported by MGMA
Based on the assessment of 272 IT and security professionals [Cheif Security Officer, Chief Information Security Officer] of their own organization’s readiness for today’s risks and security challenges.
In July 2010, the Centers for Medicare and Medicaid Services (CMS) published the final rules six months after they published a Notice of Proposed Rule making. In this set of final rules, CMS identified a core set of 14 meaningful use objectives in which eligible hospitals (EH) and 15 core meaningful use objectives in which eligible professionals (EP) need to focus to qualify for incentive funds provided through the new CMS Medicare and Medicaid incentive program.
Additionally, EHs and EPs must also focus on five of 10 menu set objectives to quality for incentive funds. One of these rules specifically stipulates that eligible hospitals and eligible providers must protect electronic health information created or maintained by the electronic health record (EHR) by conducting or reviewing a security risk analysis. These organizations must also implement security updates as necessary and correct identified security deficiencies as part of its risk management process.
General Information Security
Approximately half of respondents reported that their organization spends three percent or less of their organization’s IT budget on information security; half of respondents noted that federal initiatives facilitated an increase in budget/resources for information security. [53%] of the survey respondents noted that they have a full time resource, such as a Chief Security Officer, in place and only [5%] reported that their entire security function is handled externally.
New to the study in 2010 was a question as to whether or not the percent of the IT budget dedicated to information security has changed in the past year. Half of survey respondents [53%] noted that the amount of the IT budget dedicated to security has increased in the past year.
Additional Key Survey Results include:
Security Breaches and Medical Identity Theft
- only 17% of respondents working for medical practices said they were likely to report an instance of medical identity theft, compared to 38% of those working for a hospital.
- Two thirds of respondents reported that their organization has formal policies/procedures in place related to addressing a security breach.
- One-third of respondents reported that their organization had experienced at least one instance of medical identity theft.
The results also show that medical practices are not as advanced in many of the areas for security data, when compared to hospitals:
- They are less likely to report conducting a formal risk analysis
- They are less likely to have many of the security tools in place and,
- They are less likely to analyze data from their audit logs.