1 / 12

Meeting of the HIT Standards Committee, P&S WG November 19, 2009

The 2009 HIMSS Security Survey: Insights into the Status of Healthcare Security Implementation sponsored by Symantec. Meeting of the HIT Standards Committee, P&S WG November 19, 2009 Lisa A. Gallagher, BSEE, CISM, CPHIMS HIMSS Senior Director, Privacy and Security lgallagher@himss.org.

una
Download Presentation

Meeting of the HIT Standards Committee, P&S WG November 19, 2009

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The 2009 HIMSS Security Survey:Insights into the Status of Healthcare Security Implementationsponsored by Symantec Meeting of the HIT Standards Committee, P&S WG November 19, 2009 Lisa A. Gallagher, BSEE, CISM, CPHIMS HIMSS Senior Director, Privacy and Security lgallagher@himss.org

  2. Survey Methodology • Web-based survey conducted in August and September, 2009 • 196 respondents • Senior IT Executives, Chief Security Officers, Chief Privacy Officers • Hospitals, Health Care Systems • Trends data collected in the 2008 HIMSS Security Survey • Probed healthcare organizations’ preparedness to comply with the new privacy statutes in ARRA

  3. Survey Headlines General Security - Despite changes in the security and privacy landscape, healthcare organizations have made little change in the past year across a number of critical areas in the security environment. • Approximately sixty percent of respondents reported that their organization spends three percent or less of their organization’s IT budget on information security • Fewer than half of respondents indicated that their organization has a formally designated CISO or CSO • Organizations rate the maturity of their security practice in the mid-range

  4. Survey Headlines Risk Analysis - Risk assessments are not universal among responding organizations • Three-quarters of surveyed organizations conduct a formal risk analysis (only half of these conduct this assessment on a yearly basis or more frequently), which has remained the same in the past year • Three-quarters of organizations that did conduct risk assessments found patient data at risk due to inadequate security controls, policies and processes.

  5. Survey Headlines Security Controls - Most respondents reported that they use the information generated in their risk analysis to determine which security controls should be used at their organization • About 85 percent of respondents reported that they monitor the success of these controls, and • Two-thirds of these respondents measure the success of these reports.

  6. Survey Headlines Use of Security Technology – Use of technical security controls is high in some areas. Use of encryption is not universal. • Firewalls and user access controls have reached a level of saturation in the market • In general, satisfaction with the existing security technologies in place in their organizations is high among respondents • Encryption is used by just 67 percent of responding organizations to secure data in transmission and fewer than half encrypt stored data • E-mail encryption and Single-Sign-On and were most frequently identified by respondents as technologies that are not presently installed at their organization but are planned for future acquisition

  7. Survey Headlines Audit Logs - Audit logs are widely used among the organizations represented in this survey. Most often, the logs capture only security-critical events. • Data from firewalls, application logs and server logs are captured in the audit logs • Organizations are still mostly using manual capabilities to analyze the data in the audit logs • Only one-quarter of respondents reported that all analysis is done entirely electronically • Logs capture only security-critical events only in 81 percent of responses, This is followed by clinician access to data, which was identified by 72 percent of respondents. Sixty-four percent indicated that their audit log captures information on non-clinician access to data.

  8. Survey Headlines Accounting of Disclosures (today’s environment) - fewer than half (44 percent) actively use their audit log information to provide accounting of disclosures to patients. • Among the respondents who indicated that their organization currently provides an Accounting of Disclosures to patients, 46 percent reported that the audit log is the primary source of information from which they get this information.

  9. Survey Headlines Health Information Exchange - Healthcare organizations currently widely share information with other organizations, such as government entities • This data sharing will increase in the future • Healthcare organizations are also increasingly allowing patients and surrogates to access information • These changes will require healthcare organizations to put additional controls in place

  10. Survey Headlines Security Breach - While most organizations don’t have a plan in place to respond to a threat or security breach, they often actively attempt to determine the cause of a breach at their organization • About half of respondents reported that their organization do not have a plan in place for responding to threats or incidents relating to a security breach. • Another 41 percent report that their organization is currently putting this plan together; six percent of respondents reported that their organization has no plan in place and does not intend to develop a plan.

  11. Survey Headlines Medical Identity Theft - One-third of respondents (32 percent) reported that their organization has had at least one known case of medical identity theft at their organization. • However, only a handful noted that their organizations experienced direct consequences from the breach (such as additional fines, citations, loss of revenue, legal action and being subjected to additional audits from organizations like the Joint Commission, and • While most respondents note that their organizations are taking a proactive stance to evaluating and addressing the risk and impact of medical identity theft at their organization, most respondents are not highly concerned that their organization is at risk of medical identity theft in the future.

  12. Observations Healthcare organizations: • Face increasing challenges in adoption of electronic healthcare records in the midst of a complex legal, regulatory and threat environment • Need to appropriately resource and manage their security initiatives • Need to be good stewards of that they store and exchange • Need to be aware of state and federal laws and regulations for data exchange, and that HIE enterprise data sharing agreements also will apply

More Related