I recently returned from the HIMSS annual conference in New Orleans, Louisiana, where vendors and service suppliers vied for the attention of some 32,000 attendees from a wide swath of healthcare providers, technology firms, and other curious seekers of healthcare solutions. Walking the aisles, one trend was abundantly clear - data security has taken a front seat among solutions of all sizes. Many vendors, regardless of their product or service, advertised a "secure solution." This really comes as no surprise, since HIMSS has set an overall goal that "By 2014, all entities who use, send, or store health information meet requirements for confidentiality, integrity, availability and accountability based on sound risk management practices, using recognized standards and protocols." This uptick in interest in and pursuit of security solutions is based on many factors, but some of the more recognizable are that:
Breaches are prevalent: 60 percent of healthcare organizations have had 2 or more breaches in the past two years, and according to a recent Ponemon Institute poll, 96 percent of providers have had at least one breach.
Incident Response is a growing concern: Of respondents to the recent HIMSS 2013 security survey, only 43 percent of providers reported that they have tested their data breach response plan.
There is a shortage of security talent and spending within healthcare organizations: According to the HIMSS survey, 32 percent of healthcare organizations handle security functions with part-time staff, and over half are still spending 3 pecent or less of their overall IT budget on securing patient data.
To their credit, hospitals have made significant strides in the past four years toward becoming more secure, and not just compliant. In 2008, for instance, 75 percent of the provider-based HIMSS survey participants conducted a risk analysis. The 2012 survey, though, indicates that over 90 percent of these organizations had conducted a risk analysis, and 75 percent updated the risk analysis at least once a year (a requirement for the meaningful use incentive program).
As we noted in earlier blog posts, data security risks will only grow in the future, while thieves still have an incentive to hack ePHI held with healthcare providers. The silver lining to this, though, is that simple solutions are more cost-effective and efficient than many providers may realize.