Some interesting data points from the 2010 HIMSS Security Survey of healthcare providers is showing that progress (albeit limited progress) is being made to ensure that user access to personal health information is properly governed.
Some highlights from the report:
Patient Data Access
Surveyed organizations most widely use user-based and role-based controls to secure electronic patient information. More than half of respondents from hospital organizations reported that they used two or more types of controls to manage data access, compared to 40 percent of respondents from medical practices. Approximately half of respondents reported that their organization allows patients/surrogates to access electronic patient information.
The use of enterprise business roles for providing user access should enable healthcare providers to better manage access change while making compliance with privacy regulations such as HIPAA/HITECH more sustainable. One thing that is a bit troubling is the amount of the IT budget being dedicated to security.
Respondents were asked to identify the amount of their organization’s overall IT budget that is dedicated to information security. One-quarter of respondents (27 percent) reported that they spent between one and three percent of the overall IT budget on security. Another 19 percent noted that they spent less than one percent of their overall IT budget on information security.
Sixteen (16) percent reported that they spent four to six percent of their IT budget on information security. Twelve percent reported that they spend seven percent or more of the IT budget on information security. This is consistent with data from 2009, when 40 percent of respondents reported that their organization’s spent between one and three percent of the overall IT budget on information technology.
Spending 3% on security seems a bit low to us when compared to research we’ve read on spending across other industries where the average is 5%. For an industry that has had the frequency data breaches and the sheer volume of PHR lost, you’d think that they would invest more of the IT budget to the security initiatives.