The recently released 2012 Healthcare Information and Management Systems Society (HIMSS) Security Survey reports a notable increase in security measures undertaken by U.S.hospitals to protect their electronic records from data breaches. However, their counterparts in healthcare, private physician practices have not been as diligent in implementing cyber security measures to protect their electronic data from medical data breaches.
Since 2008, HIMSS has been conducting this annual survey with information technology (IT) and security professionals working in healthcare organizations across the U.S.about their data protection and security policies.
A reason for the increased security effort by hospitals is due to the incentive program from the U.S. Centers for Medicare and Medicaid Services (CMS) that governs the use of electronic health records and provides Medicare and Medicaid incentive payments to eligible healthcare providers and hospitals if they meet specific criteria. One of CMS’ requirements is for healthcare organizations to conduct an annual security risk analysis in order to qualify for the incentives. This includes auditing their IT security plan to make sure it’s up to date and working in addition to testing their data breach response plan. In 2008, 75% of the survey participants from a mainly hospital-centric population said they had conducted a risk analysis and 54% of the group said they did one annually. The 2012 survey show that the numbers have grown since with over 90% of hospital-based respondents reported having conducted a risk analysis and 75% of those respondents said they did an analysis at least once a year.
On the other hand, only 65% of survey participants who worked in a physician practice reported having done an annual risk analysis. Survey participants working for private practices generally don’t implement formal security policies or data security tools like their peers who work at hospitals, many of whom are a part of large corporations with strict regulations. However, physician practices experienced fewer data breaches and medical identity theft cases due to the fact that private practices generally manage less volume of patients than hospitals and also employ less staff, one of the biggest threats to healthcare data breach protection. Since health records are now more commonly distributed electronically, nearly all respondents that share data available through a website/web portal use password protection, an increase from 2011 when only 80% used passwords. Other security tools such as firewalls and user access controls have also become widespread in the last several years.
Although the 2012 survey shows that improvements in protecting sensitive medical data in an increasingly electronic environment are still needed, healthcare organizations have made substantial efforts in the last five years to protect their industry from cyber threats and continue to adopt new technologies in order to insure the safekeeping of patient privacy. It will be interesting to see what happens in the next five years.