Survey: Many healthcare facilities unprepared for HITECH requirements
Despite the health IT adoption push following the American Recovery and Reinvestment Act (ARRA) of 2009, many healthcare facilities may not be prepared to meet some of the Health IT for Economic and Clinical Health (HITECH) Act requirements, based on the findings of the second annual Healthcare Information and Management Systems Society (HIMSS) security survey.

The survey, sponsored by Mountain View, Calif.-based systems management developer Symantec, received 196 responses between Aug. 21 and Oct. 5 from IT and security professionals in U.S. healthcare provider organizations. It was designed to collect information on topics regarding organizations’ general security environments--which included their preparedness and approach to meeting new privacy and security requirements contained in the ARRA.

Respondents characterized their security environment as being at a middle rate of maturity, with an average score of 4.27 on a scale of one to seven, where one is not mature and seven is a high level of maturity.

“While security awareness is very high and people have a lot of tools and have been naming security officers, no one has really started the full implementation process,” said David Finn, Symantec’s health IT officer and HIPAA privacy and security officer.

Suprisingly, approximately 60 percent of respondents reported that their organizations spend 3 percent or less of their IT budgets on information security.

Other key findings from the survey were:
  • Slightly more than half of the organizations have a response plan for threats or a security breach (54 percent);
  • A designated chief security officer or chief information security officer is not in place (58 percent);
  • Only 47 percent of the respondents said they conducted an annual formal risk-analysis assessment; and
  • While one-third of the respondents reported that their organization has had at least one known case of medical identity theft, the report concluded that the respondents are not overly concerned about the threat of medical identity thefts.

“As healthcare providers are driven to connectivity,” said Finn in an interview, “it creates a dichotomy in the healthcare environment.” Providers want to get patient-focused measures, like EHRs, implemented, which draws off resources from other areas. Every facility has limited resources but, Finn said, they shouldn’t be mutually exclusive.

The survey reveals that healthcare organizations are not using the current security technologies available to keep patient data safe. Respondents to the survey widely use audit logs with data from firewalls, application logs and server logs as common information sources. Yet, when analyzing the log data, only 25 percent of respondents reported electronic analysis of that data. Only 67 percent of responding organizations use encryption to secure data in transmission, and fewer than half encrypt stored data.

Encryption is an easy win for the future of security protocols, according to Finn. “Many people use encryption on their mobile phones,” explained Finn. “Encrypted data at rest behind your firewall is good practice and a safe harbor for the breach of notification requirement so if your data is encrypted according to the standards that have been prescribed, that actually is a level of security that can exempt you from the notification requirements."

Looking to the future, Finn reiterated that security risks at one facility are going to be different from another's. “It’s important to assess your organization and your risk environment,” said Finn. “Knowing that you can’t fix everything at once, you’re going to need to prioritize and if you sequence things right, you’re going to leverage what you’re putting in across the board over time.”

Finn concluded that facilities will want to work with an eye towards how the restructuring will fit together when all the work is done "three to five years down the road."