Progress With Governing User Access From 2010 HIMSS Security Survey

Some interesting data points from the 2010 HIMSS Security Survey of healthcare providers is showing that progress (albeit limited progress) is being made to ensure that user access to personal health information is properly governed.

Some highlights from the report:

Patient Data Access

Surveyed organizations most widely use user-based and role-based controls to secure electronic patient information. More than half of respondents from hospital organizations reported that they used two or more types of controls to manage data access, compared to 40 percent of respondents from medical practices. Approximately half of respondents reported that their organization allows patients/surrogates to access electronic patient information.

The use of enterprise business roles for providing user access should enable healthcare providers to better manage access change while making compliance with privacy regulations such as HIPAA/HITECH more sustainable. One thing that is a bit troubling is the amount of the IT budget being dedicated to security.


Respondents were asked to identify the amount of their organization’s overall IT budget that is dedicated to information security. One-quarter of respondents (27 percent) reported that they spent between one and three percent of the overall IT budget on security. Another 19 percent noted that they spent less than one percent of their overall IT budget on information security.

Sixteen (16) percent reported that they spent four to six percent of their IT budget on information security. Twelve percent reported that they spend seven percent or more of the IT budget on information security. This is consistent with data from 2009, when 40 percent of respondents reported that their organization’s spent between one and three percent of the overall IT budget on information technology.

Spending 3% on security seems a bit low to us when compared to research we’ve read on spending across other industries where the average is 5%. For an industry that has had the frequency data breaches and the sheer volume of PHR lost, you’d think that they would invest more of the IT budget to the security initiatives.

SHARETweet about this on TwitterShare on LinkedInShare on FacebookShare on Google+Pin on PinterestDigg thisShare on RedditShare on TumblrShare on StumbleUponEmail this to someone

Brian Cleary is vice president of products and marketing at Aveksa, a leading provider of enterprise access governance solutions. Brian has more than 17 years of experience directing technology marketing initiatives for both emerging technology companies and top-tier enterprise software vendors. In previous positions, Brian served as vice president of marketing at OpenPages and as senior vice president of marketing at Computer Associates (CA). He has also held management positions at Netegrity, Allaire Corporation and Macromedia. He holds a bachelor’s degree from Syracuse University.