This year’s HIMSS Security Survey results indicate that three-quarters of all respondents reported that they perform a risk assessment at their organization, but this means that fully one quarter do not.
Look, we all know this….Risk analysis is the best process for a healthcare organization to gain a complete understanding of its security profile—the threat environment, system vulnerabilities and overall risk exposure.
Risk analysis is a key requirement of the Health Insurance Portability and Accountability Act (HIPAA) final security rule, and as such, has been a requirement for healthcare organizations for many years. Further, the Stage One meaningful use criteria states that not only are organizations required to conduct a risk analysis, but they must also correct deficiencies identified during the risk analysis process.
Now in its third year, the 2010 HIMSS Security Survey, sponsored by Intel, reports the opinions of information technology (IT) and security professionals from healthcare provider organizations across the U.S. regarding key issues surrounding the tools and policies in place to secure electronic patient data at healthcare organizations.
This year, the study was supported by Medical Group Management Association (MGMA) to encourage additional representation in the medical group and ambulatory space. There were 272 IT and security professionals who answered questions about their own organization’s readiness for today’s risks and security challenges.
As I noted earlier, this year’s results indicate that three-quarters of all respondents reported that they perform a risk assessment at their organization, but this means that fully one quarter do not. While this is similar to the percentage reported last year, this year’s study has a greater representation of medical practices with a clear difference in the percent of respondents that indicated they conducted a risk analysis.
- Respondents working for medical practices were twice as likely to report that their organization does not conduct a risk analysis compared to those that work at a hospital (33 percent compared to 14 percent).
- Overall, a high percentage of those that are conducting a risk assessment reported using this information to determine which security controls should be put into place at their organizations.
- The risk assessment results were also used by many organizations to identify gaps in existing security controls, policies and/or procedures, and, as a result of the risk assessment, organizations were able to actively take steps to correct deficiencies and the survey data serves to emphasize the important role and value that ongoing security risk analysis can play in protecting health data. This indicates that those organizations that actually perform a risk assessment understand how to use the results to make improvements and manage their risk.
We at HIMSS urge healthcare organizations to use the risk analysis process to not only achieve regulatory compliance, but also, to gain the benefits achieved by the organizations in this survey. We cannot overemphasize the important role and value that ongoing risk management can play in protecting health data. You can see it in the data!
What do you think are the roadblocks for organizations, large and small, inpatient and ambulatory, that prevent them from implementing security risk assessments?
And, what can be done to remove those roadblocks?
More survey analysis to come in future blog entries and in the HIMSS Security Survey report on the HIMSS website.
Cari McLean
Joyce Lofstrom, MS, APR
Adam Bazer
Carla M Smith, MA, CNM, FHIMSS
Christel Anderson
Dave Roberts
Thomas S. Keefe, MA, FHIMSS
JoAnn W. Klinedinst, CPHIMS, PMP, FHIMSS
Joyce Sensmeier, MS, RN-BC, CPHIMS, FHIMSS, FAAN
Elinore Boeke
Mary Griskewicz MS, FHIMSS
H. Stephen Lieber, CAE
Lisa A. Gallagher, BSEE, CISM, CPHIMS
John Casillas
Juliet A. Santos, MSN, CCRN, FNP-BC
Tom Leary, MALA, FHIMSS
Karen Malone
Nancy Vitucci
Lauren Brown
David Collins, MHA, CPHQ, CPHIMS, FHIMSS
mattschlossberg
Mary Beth Micucci
John. H. Daniels, FHIMSS, FACHE
John P Hoyt FHIMSS FACHE
Jennifer Horowitz
Richard M. Hodge, MBA, MPA
kawagner
Liz Anderson
Ed Larsen
Arnol Simmons
Helen Figge, RPh, PharmD, MBA
Amanda Griffith
James (Jim) St. Clair, CISM, PMP, SSGB
Shelley Price, MS, FHIMSS
jfrenchhimss
Michelle Glenn
Zahid Butt MD, FACG
Amy Thorpe, FHIMSS
Michael A. Gaspar
ftvelasco
gumprx
Edna Boone, MA, CPHIMS Senior Director mHIMSS
Thanks for the great presentation, Lisa! You can still register to attend the November 2010 HIMSS Virtual Conference and hear Lisa’s presentation on demand http://www.himssvirtual.org
Pingback: HIMSS Security Survey: Budget and Staffing – The Hidden Dilemma | HIMSS Blog
Healthcare provider organizations face a number of challenges in conducting a comprehensive security risk assessment. One challenge is that many providers do not have dedicated security leadership and staff resources to implement an effective security management program. The responsbilities for securing protected health information (“PHI”) are typically shared among various departments or individuals. This issue is exacerbated for smaller organizations. Conducting a security risk assessment which will provide real value to the organization in addition to satisfying regulatory requirements needs to be a continuous program which is focused on understanding how PHI is created, received, processed, stored, transmitted and destroyed within the organization and outside. Therefore, the scope of a security risk assessment is huge and requires well-trained information risk management resources with healthcare experience.
Another issue is awareness and guidance concerning how to conduct a security risk assessment which is directly related to the first challenge above. There are number of general frameworks including NIST Special Publication 800-30 but these documents are often perceived to be too broad. There are healthcare-specific resources including the Office of Civil Rights (“OCR”) HIPAA Security Standards: Guidance on Risk Analysis document and frameworks such as HITRUST but these are often unknown to those responsible for security management.
Financial resources are also constrained at most healthcare provider organizations making it difficult to justify the cost of bringing in internal and/or external resources with the experience to implement the program described above when compared with the needs of the organization to provide better, safer and more efficient care to its patients.
In terms of increasing the number of provider organizations that conduct risk assessments, I think that state and federal regulations will obviously play a major role in shifting the balance of risk. More importantly, however, is that security professionals continue to communicate the tangible and intangible value that conducting security risk assessments provide for organizations. Protecting confidential information is critical in creating and maintaining consumer trust and this trust will be essential in providing better, safer and more cost-effective care in the future.
It seems that most larger healthcare organizations have accomplished a manageable internal security process for risk assessments of primarily IT/IS-controlled systems. This is typically based on some reasonable standard (COBIT, NIST, etc.) for consistency and effectiveness. However, we have found that non IT/IS-controlled systems such as medical devices with ePHI are almost always overlooked by security and HIPAA compliance personnel. This is especially the case for smaller organizations and practices.
As with most aspects of security, risk management can be especially challenging to maintain relevance and affect change if the data owners don’t take their fiduciary responsibilities seriously. The clinicians that rely on using the systems and data for patient care may think of security and HIPAA compliance as a undue burden in their work. This exacerbates the problem for all staff and the organization, but ultimately can lead to the many breaches we see reported on the HHS website and in the news.
Education and awareness, such as with the HIMSS Security Survey, seem to be the most important tools to make change for better compliance, acceptable risk, and decreased occurrence of patient data breaches. The target for these methods should be spread broadly: from clinicians, to senior management, and ultimately to patients, before we can expect to see due care and due diligence applied consistently throughout healthcare.
Interesting survey…but what would the results be like if small provider practices (1-3 doctors per office) were polled? Most small offices I have encountered do not have personnel with the knowledge, skills or experience to perform a security risk analysis- much less risk management. A security assessment AND risk management are REQUIRED objectives for HITECH fund recipients. Will HITECH fund awards trigger “random” OIG HIPAA security audits? Only time will tell….