The 2009 HIMSS Security Survey: Insights into the Status of Healthcare Security Implementation sponsored by Symantec Meeting of the HIT Standards Committee,

Slides:



Advertisements
Similar presentations
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Advertisements

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Davis Wright Tremaine LLP Non-HIPAA Governmental Regulation of Healthcare Privacy and Security Sixteenth HIPAA Summit/The Privacy Symposium August 21,
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
Assessing the impact of an aging workforce across global organizations.
Data Breach Risks Overview Heather Pixton www2.idexpertscorp.com
1 HIT Standards Committee Privacy and Security Workgroup: Recommendations Dixie Baker, SAIC Steven Findlay, Consumers Union August 20, 2009.
Information Security Policies Larry Conrad September 29, 2009.
Information Security Policies and Standards
Copyright 2012 Delmar, a part of Cengage Learning. All Rights Reserved. Chapter 13 Health Information Systems and Strategy.
Management of Communication and Information Chapter -MCI
Corporate Ethics Compliance *
Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
August 21-24, 2007 Privacy and Security Leaders as Partners in Patient-Centered Care Presented by Samuel P. Jenkins, FACHE Director, Defense Privacy Office.
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
InformationWeek 2014 Strategic Security Survey Research Findings © 2014 Property of UBM Tech; All Rights Reserved.
1 HIT Policy Committee HIT Standards Committee Privacy and Security Workgroup: Status Report Dixie Baker, SAIC July 16, 2009.
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
Case Study: Department of Revenue Data Breach National Association of State Auditors, Comptrollers and Treasurers March 21, 2013.
Results from eHI & CHIME Survey Use of Data and Analytics by Providers Jennifer Covich Chief Executive Officer August 30, 2012.
Can We Have EHRs and Privacy Too? Dr. Alan F. Westin Professor of Public Law and Government Emeritus, Columbia University; Principal, Privacy Consulting.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Steps for Success in EHR Planning Bill French, VP eHealth Strategies Wisconsin Office of Rural Health HIT Implementation Workshop Stevens Point, WI August.
The Source for Healthcare Information Different Industry Perspectives: Data from the 14 th Annual HIMSS Leadership Survey Jennifer Horowitz, MA, CPHIMS.
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
Privacy and Security Risks to Rural Hospitals John Hoyt, Partner December 6, 2013.
GSHRM Conference Cyber Security Education Shri Cockroft, CISO Piedmont Healthcare, Inc. September 21, 2015.
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
Eliza de Guzman HTM 520 Health Information Exchange.
September 12, 2004 Simplifying the Administration of HIPAA Security Angel Hoffman, RN, MSN Director, Corporate Compliance University of Pittsburgh Medical.
1 Introducing Enterprise Risk Management (ERM) - The KOC Experience November 2012 Khaled Al-Awadhi Risk Management Team Kuwait Oil Company.
Patient Confidentiality and Electronic Medical Records Ann J. Olsen, MBA, MA Information Security Officer and Director, Information Management Planning.
Privacy and Security Solutions For Interoperable Health Information Exchange Presented by Linda Dimitropoulos, PhD RTI International Presented at AHRQ.
Data Governance 101. Agenda  Purpose  Presentation (Elijah J. Bell) Data Governance Data Policy Security Privacy Contracts  FERPA—The Law  Q & A.
Snowe Amendment to the Wired Act William F. Pewen, Ph.D., M.P.H. Office of Senator Olympia J. Snowe, ME (202)
Enterprise Cybersecurity Strategy
Corporate Governance Scorecard of SEC Nigeria
Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights.
HIT Policy Committee NHIN Workgroup HIE Trust Framework: HIE Trust Framework: Essential Components for Trust April 21, 2010 David Lansky, Chair Farzad.
Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.
Information Security Measures Confidentiality IntegrityAccessibility Information cannot be available or disclosed to unauthorized persons, entities or.
Organizing a Privacy Program: Administrative Infrastructure and Reporting Relationships Presented by: Samuel P. Jenkins, Director Defense Privacy Office.
HIPAA Compliance Case Study: Establishing and Implementing a Program to Audit HIPAA Compliance Drew Hunt Network Security Analyst Valley Medical Center.
MIS5001: Information Technology Management Ethics and Continuity Management Larry Brandolph
AND CE-Prof, Inc. January 28, 2011 The Greater Chicago Dental Academy 1 Copyright CE-Prof, Inc
Information Security Office: Function, Alignment in the Organization, Goals, and Objectives Presentation to Sacramento PMO March 2011 Kevin Dickey.
The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law
ISACA: 2016 AND BEYOND MATT LOEB (CGEIT, CAE) ISACA CHIEF EXECUTIVE OFFICER.
COMMUNITY-WIDE HEALTH INFORMATION EXCHANGE: HIPAA PRIVACY AND SECURITY ISSUES Ninth National HIPAA Summit September 14, 2004 Prepared by: Robert Belfort,
Health Information Exchange: Alaska’s Health Pipeline Alaska Bar Association Health Law Section February 2, 2012 Carolyn Heyman-Layne.
Chapter 4 The Legal and Regulatory Environment of Health Care.
Data Minimization Framework
Understanding HIPAA Dr. Jennifer Lu.
Overview Introduction Meaningful Use Objective for Security Key Security Areas and Measures Best Practices Security Risk Analysis (SRA) Action Plan Demonstration.
IS4680 Security Auditing for Compliance
General Counsel and Chief Privacy Officer
American Health Information Management Association
The Practical Side of Meaningful Use:
Concerns of a Privacy Advocate – and How to Respond
HIPAA Security Standards Final Rule
Drew Hunt Network Security Analyst Valley Medical Center
THE 13TH NATIONAL HIPAA SUMMIT HEALTH INFORMATION PRIVACY & SECURITY IN SHARED HEALTH RECORD SYSTEMS SEPTEMBER 26, 2006 Paul T. Smith, Esq. Partner,
Managing IT Risk in a digital Transformation AGE
Non-HIPAA Governmental Regulation of Healthcare Privacy and Security
Move this to online module slides 11-56
Introduction to the PACS Security
Sam elkholy Director, systems engineering
Presentation transcript:

The 2009 HIMSS Security Survey: Insights into the Status of Healthcare Security Implementation sponsored by Symantec Meeting of the HIT Standards Committee, P&S WG November 19, 2009 Lisa A. Gallagher, BSEE, CISM, CPHIMS HIMSS Senior Director, Privacy and Security

Survey Methodology Web-based survey conducted in August and September, respondents –Senior IT Executives, Chief Security Officers, Chief Privacy Officers –Hospitals, Health Care Systems Trends data collected in the 2008 HIMSS Security Survey Probed healthcare organizations’ preparedness to comply with the new privacy statutes in ARRA

Survey Headlines Approximately sixty percent of respondents reported that their organization spends three percent or less of their organization’s IT budget on information security Fewer than half of respondents indicated that their organization has a formally designated CISO or CSO Organizations rate the maturity of their security practice in the mid-range General Security - Despite changes in the security and privacy landscape, healthcare organizations have made little change in the past year across a number of critical areas in the security environment.

Survey Headlines Three-quarters of surveyed organizations conduct a formal risk analysis (only half of these conduct this assessment on a yearly basis or more frequently), which has remained the same in the past year Three-quarters of organizations that did conduct risk assessments found patient data at risk due to inadequate security controls, policies and processes. Risk Analysis - Risk assessments are not universal among responding organizations

Survey Headlines About 85 percent of respondents reported that they monitor the success of these controls, and Two-thirds of these respondents measure the success of these reports. Security Controls - Most respondents reported that they use the information generated in their risk analysis to determine which security controls should be used at their organization

Survey Headlines Firewalls and user access controls have reached a level of saturation in the market In general, satisfaction with the existing security technologies in place in their organizations is high among respondents Encryption is used by just 67 percent of responding organizations to secure data in transmission and fewer than half encrypt stored data encryption and Single-Sign-On and were most frequently identified by respondents as technologies that are not presently installed at their organization but are planned for future acquisition Use of Security Technology – Use of technical security controls is high in some areas. Use of encryption is not universal.

Survey Headlines Data from firewalls, application logs and server logs are captured in the audit logs Organizations are still mostly using manual capabilities to analyze the data in the audit logs Only one-quarter of respondents reported that all analysis is done entirely electronically Logs capture only security-critical events only in 81 percent of responses, This is followed by clinician access to data, which was identified by 72 percent of respondents. Sixty-four percent indicated that their audit log captures information on non-clinician access to data. Audit Logs - Audit logs are widely used among the organizations represented in this survey. Most often, the logs capture only security-critical events.

Survey Headlines Among the respondents who indicated that their organization currently provides an Accounting of Disclosures to patients, 46 percent reported that the audit log is the primary source of information from which they get this information. Accounting of Disclosures (today’s environment) - fewer than half (44 percent) actively use their audit log information to provide accounting of disclosures to patients.

Survey Headlines This data sharing will increase in the future Healthcare organizations are also increasingly allowing patients and surrogates to access information These changes will require healthcare organizations to put additional controls in place Health Information Exchange - Healthcare organizations currently widely share information with other organizations, such as government entities

Survey Headlines About half of respondents reported that their organization do not have a plan in place for responding to threats or incidents relating to a security breach. Another 41 percent report that their organization is currently putting this plan together; six percent of respondents reported that their organization has no plan in place and does not intend to develop a plan. Security Breach - While most organizations don’t have a plan in place to respond to a threat or security breach, they often actively attempt to determine the cause of a breach at their organization

Survey Headlines However, only a handful noted that their organizations experienced direct consequences from the breach (such as additional fines, citations, loss of revenue, legal action and being subjected to additional audits from organizations like the Joint Commission, and While most respondents note that their organizations are taking a proactive stance to evaluating and addressing the risk and impact of medical identity theft at their organization, most respondents are not highly concerned that their organization is at risk of medical identity theft in the future. Medical Identity Theft - One-third of respondents (32 percent) reported that their organization has had at least one known case of medical identity theft at their organization.

Observations Face increasing challenges in adoption of electronic healthcare records in the midst of a complex legal, regulatory and threat environment Need to appropriately resource and manage their security initiatives Need to be good stewards of that they store and exchange Need to be aware of state and federal laws and regulations for data exchange, and that HIE enterprise data sharing agreements also will apply Healthcare organizations:

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.