Last week, Lisa Gallagher introduced the results from the third Annual HIMSS Security Survey sponsored by Intel in her blog, focusing on risk analysis. She also promised more dialogue on the topic. I had the pleasure of moderating the session last week at HIMSS Virtual Conference in which Lisa shared the findings of the survey. This blog delivers on Lisa’s promise, discussing how healthcare organizations resource the security of patient information, both from a budgeting and a staffing perspective.
Budget
Approximately half of the survey’s 272 respondents reported that their healthcare organization spends three percent or less of their organization’s total IT budget on information security. Conversely, only 12 percent reported that their healthcare organization spends seven percent or more of the IT budget on information security. However, while this was consistent with what was reported last year, many respondents indicated that their budget actually increased in the past year, primarily as a result of federal initiatives, such as the EHR incentive program, the conversion to ICD-10 and HIPAA 5010 electronic transactions. It will be worth watching if, and how, spending on security, fueled by federal initiatives, will gain pace with spending on security in other industries, which tends to be closer to an average of 5 percent of overall IT spending[1].
Staffing
From a staffing perspective, slightly more than half of respondents reported they have either a Chief Security Officer (CSO), a Chief Information Security Officer (CISO) or full-time staff in place to handle their organizations’ security function. Those working for a hospital were more likely to report that they had a CSO/CSIO in place compared to individuals working for medical practices. In addition, respondents working for medical practices were much more likely to indicate that they handled their security function exclusively using external resources; none of the respondents from the hospitals reported that they used external resources exclusively. This suggests that there may be a potential lack of IT staff at medical practices, leaving the security function to others who simply do not have the expertise and background to negotiate the complex issues surrounding the privacy and security of data. One approach to bridging this gap may be the use of external resources, such as consultants.
As more and more healthcare organizations utilize electronic health records and share information outside of the four walls of the practice setting, ensuring the organizations have appropriate staffing and resources becomes even more critical.
How do budget and staffing issues affect your organization’s security function?
[1] see Jeremy Kirk’s article at PCWorld, “How Much Should You Spend on IT Security?”
Cari McLean
Joyce Lofstrom, MS, APR
Adam Bazer
Carla M Smith, MA, CNM, FHIMSS
Christel Anderson
Dave Roberts
Thomas S. Keefe, MA, FHIMSS
JoAnn W. Klinedinst, CPHIMS, PMP, FHIMSS
Joyce Sensmeier, MS, RN-BC, CPHIMS, FHIMSS, FAAN
Elinore Boeke
Mary Griskewicz MS, FHIMSS
H. Stephen Lieber, CAE
Lisa A. Gallagher, BSEE, CISM, CPHIMS
John Casillas
Juliet A. Santos, MSN, CCRN, FNP-BC
Tom Leary, MALA, FHIMSS
Karen Malone
Nancy Vitucci
Lauren Brown
David Collins, MHA, CPHQ, CPHIMS, FHIMSS
mattschlossberg
Mary Beth Micucci
John. H. Daniels, FHIMSS, FACHE
John P Hoyt FHIMSS FACHE
Jennifer Horowitz
Richard M. Hodge, MBA, MPA
kawagner
Liz Anderson
Ed Larsen
Arnol Simmons
Helen Figge, RPh, PharmD, MBA
Amanda Griffith
James (Jim) St. Clair, CISM, PMP, SSGB
Shelley Price, MS, FHIMSS
jfrenchhimss
Michelle Glenn
Zahid Butt MD, FACG
Amy Thorpe, FHIMSS
Michael A. Gaspar
ftvelasco
gumprx
Edna Boone, MA, CPHIMS Senior Director mHIMSS
