Download presentation
Presentation is loading. Please wait.
Published byJoella O’Neal’ Modified over 9 years ago
1
The 2009 HIMSS Security Survey: Insights into the Status of Healthcare Security Implementation sponsored by Symantec Meeting of the HIT Standards Committee, P&S WG November 19, 2009 Lisa A. Gallagher, BSEE, CISM, CPHIMS HIMSS Senior Director, Privacy and Security lgallagher@himss.org
2
Survey Methodology Web-based survey conducted in August and September, 2009 196 respondents –Senior IT Executives, Chief Security Officers, Chief Privacy Officers –Hospitals, Health Care Systems Trends data collected in the 2008 HIMSS Security Survey Probed healthcare organizations’ preparedness to comply with the new privacy statutes in ARRA
3
Survey Headlines Approximately sixty percent of respondents reported that their organization spends three percent or less of their organization’s IT budget on information security Fewer than half of respondents indicated that their organization has a formally designated CISO or CSO Organizations rate the maturity of their security practice in the mid-range General Security - Despite changes in the security and privacy landscape, healthcare organizations have made little change in the past year across a number of critical areas in the security environment.
4
Survey Headlines Three-quarters of surveyed organizations conduct a formal risk analysis (only half of these conduct this assessment on a yearly basis or more frequently), which has remained the same in the past year Three-quarters of organizations that did conduct risk assessments found patient data at risk due to inadequate security controls, policies and processes. Risk Analysis - Risk assessments are not universal among responding organizations
5
Survey Headlines About 85 percent of respondents reported that they monitor the success of these controls, and Two-thirds of these respondents measure the success of these reports. Security Controls - Most respondents reported that they use the information generated in their risk analysis to determine which security controls should be used at their organization
6
Survey Headlines Firewalls and user access controls have reached a level of saturation in the market In general, satisfaction with the existing security technologies in place in their organizations is high among respondents Encryption is used by just 67 percent of responding organizations to secure data in transmission and fewer than half encrypt stored data E-mail encryption and Single-Sign-On and were most frequently identified by respondents as technologies that are not presently installed at their organization but are planned for future acquisition Use of Security Technology – Use of technical security controls is high in some areas. Use of encryption is not universal.
7
Survey Headlines Data from firewalls, application logs and server logs are captured in the audit logs Organizations are still mostly using manual capabilities to analyze the data in the audit logs Only one-quarter of respondents reported that all analysis is done entirely electronically Logs capture only security-critical events only in 81 percent of responses, This is followed by clinician access to data, which was identified by 72 percent of respondents. Sixty-four percent indicated that their audit log captures information on non-clinician access to data. Audit Logs - Audit logs are widely used among the organizations represented in this survey. Most often, the logs capture only security-critical events.
8
Survey Headlines Among the respondents who indicated that their organization currently provides an Accounting of Disclosures to patients, 46 percent reported that the audit log is the primary source of information from which they get this information. Accounting of Disclosures (today’s environment) - fewer than half (44 percent) actively use their audit log information to provide accounting of disclosures to patients.
9
Survey Headlines This data sharing will increase in the future Healthcare organizations are also increasingly allowing patients and surrogates to access information These changes will require healthcare organizations to put additional controls in place Health Information Exchange - Healthcare organizations currently widely share information with other organizations, such as government entities
10
Survey Headlines About half of respondents reported that their organization do not have a plan in place for responding to threats or incidents relating to a security breach. Another 41 percent report that their organization is currently putting this plan together; six percent of respondents reported that their organization has no plan in place and does not intend to develop a plan. Security Breach - While most organizations don’t have a plan in place to respond to a threat or security breach, they often actively attempt to determine the cause of a breach at their organization
11
Survey Headlines However, only a handful noted that their organizations experienced direct consequences from the breach (such as additional fines, citations, loss of revenue, legal action and being subjected to additional audits from organizations like the Joint Commission, and While most respondents note that their organizations are taking a proactive stance to evaluating and addressing the risk and impact of medical identity theft at their organization, most respondents are not highly concerned that their organization is at risk of medical identity theft in the future. Medical Identity Theft - One-third of respondents (32 percent) reported that their organization has had at least one known case of medical identity theft at their organization.
12
Observations Face increasing challenges in adoption of electronic healthcare records in the midst of a complex legal, regulatory and threat environment Need to appropriately resource and manage their security initiatives Need to be good stewards of that they store and exchange Need to be aware of state and federal laws and regulations for data exchange, and that HIE enterprise data sharing agreements also will apply Healthcare organizations:
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.