Concerns around the security of patient data have been a long standing issue in healthcare information technology circles. In fact, ten years ago, the 2004 HIMSS Leadership Survey indicated that two-thirds of respondents had concerns that internal breaches could compromise the security of electronic information, and breaches of electronic health data remain a concern in this year’s 2013 HIMSS Security Survey. The study was supported by MGMA and sponsored by Experian® Data Breach Resolution.
This survey, which profiles the data security experiences of 283 information technology (IT) and security professionals employed by U.S. hospitals and physician practices, found (among other things) that the greatest "security threat motivator" they encounter is that of healthcare workers potentially snooping into the electronic health information of friends, neighbors, spouses or co-workers.
Recognizing that inappropriate access of data by employees is a key area for which organizations are at risk of a security breach, healthcare organizations continue to strengthen the suite of technologies in place to secure data. Use of several key technologies related to employee access to patient data have all increased, including user access controls and audit logs of each access to patient health records.
Additionally, healthcare organizations are using multiple means of controlling employee access to patient information. Two-thirds of respondents reported that they use at least two access control mechanisms, such as user-based and role-based access controls, for controlling employee access to data. Furthermore, the number of respondents indicating their organization is collecting and analyzing data from audits logs is also increasing. For instance, the number of respondents that report their organization analyzes data from their firewalls, applications and servers has all increased in the past year.
Lastly, healthcare organizations are more frequently auditing their IT security plan to ensure they are ready in the event that a breach – internal or external – takes place.
Other key survey results include:
Risk Analysis: Ninety-two (92) percent of respondents noted their organization conducts a formal risk analysis. Significantly, while the number of respondents working for a hospital that conducted a risk analysis remained relatively consistent, the number of respondents working for physician practices that reported their organization conducted a risk analysis increased from 65 percent in 2012 to 78 percent in 2013.