Medical practices lag behind hospitals in electronic security efforts

December 9, 2010

Medical practices lag behind hospitals in their past efforts and future plans to address security issues related to electronic health records, according to responses to the 2010 HIMSS Security Survey, sponsored by Intel and supported by the Medical Group Management Association.

Medical practices lag behind hospitals in their past efforts and future plans to address security issues related to electronic health records (EHRs), according to responses to the 2010 HIMSS Security Survey, sponsored by Intel and supported by the Medical Group Management Association.

Findings of the survey:

Medical practices are less likely to perform risk assessments than are hospitals; 33% of practices do not conduct such analyses, compared with 14% of hospitals. Such assessments are required by the Centers for Medicare and Medicaid Services for practices and hospitals to meet meaningful use objectives and receive incentives stemming from the American Recovery and Reinvestment Act of 2009.

Those working for medical practices were less likely to report they had a chief security officer or chief information security officer in place compared with individuals working in hospitals. In fact, 17% of respondents working for medical practices indicated that they handled the security function exclusively by using external resources. None of the respondents from hospitals reported using external resources exclusively.

Forty percent of survey participants from medical practices reported using two or more types of controls to manage data access, compared with more than half of the respondents from hospitals. The surveyed organizations reported user-based and role-based controls as the most widely used controls to secure electronic patient information.

Almost all of the survey respondents reported that their organizations actively work to determine the cause of security breaches, and two-thirds have plans in place to responding to these threats. Respondents from medical practices were less likely than hospital participants to report that they worked to determine the cause of security breaches.

About 85% of respondents said that their organizations share patient data in an electronic format. Medical practice respondents (77%), compared with their hospital counterparts (83%), are less likely to share data in the future, however, according to survey responses.

Mobile device encryption, e-mail encryption, and single sign-on were most frequently identified by respondents as technologies not currently installed at their organizations but planned for future installation. Respondents from medical practices not using these technologies, compared with participants from hospitals, were less likely to report the intent to install them in the future.

 Those working for medical practices were less likely to report that an instance of medical identity theft had occurred at their organization (17%) compared with those working for a hospital (38%). Among all respondents, 33% reported that their organizations had had at least one known case of medical identity theft.

Among the respondents, little difference appeared by organization type related to security budget. About half of respondents indicated that their organizations spend 3% or less of the organization's information technology (IT) budget on information security, a similar response to the 2009 results. Respondents indicated that their security budgets have increased in the past year because of federal incentives, however.

"Meaningful use objectives are now in place, so hospitals and medical practices have an important new requirement that must be followed to ensure the protection of patient health information and achieve meaningful use," said Lisa Gallagher, BSEE, CISM, CPHIMS, senior director of privacy and security, HIMSS. "As the survey results indicate, one-quarter of the sample population would not qualify for meaningful use incentives based on not having a process to conduct risk analysis. With almost 80% of respondents indicating that they would share electronically stored data outside of their organizations, healthcare organizations must ensure that proper security protections are operative and based on an ongoing risk analysis process."

The survey involved 272 healthcare IT and security professionals, one-fourth of whom indicated that they worked for medical practices.