Private medical practices lag behind hospitals in performing risk analysis and implementing information security controls, a survey by the Healthcare Information and Management Systems Society (HIMSS) found.
 
According to the 2010 HIMSS Security Survey, sponsored by Intel and supported by the Medical Group Management Association, 33% of medical practices said they did not conduct a security risk analysis of their electronic health records, compared with only 14% of hospitals. Overall, 75% of all respondents did conduct a security risk analysis of their organizations.
 
The Centers for Medicare and Medicaid Services has issued rules, known as the Electronic Health Record Incentive Program, for healthcare facilities to qualify for incentive funds. One of the requirements is that hospitals and medical practices conduct a security risk analysis of their electronic health records. These organizations must then implement necessary security updates and correct security deficiencies as part of the risk management process to qualify for the incentives.
 
“As the survey results indicate, one-quarter of the sample population would not qualify for meaningful use incentives based on not having a process to conduct risk analysis. With almost 80% of respondents indicating that they would share electronically stored data outside of their organizations, healthcare organizations must ensure that proper security protections are operative and based on an ongoing risk analysis process”, commented Lisa Gallagher, senior director of privacy and security for HIMSS.
 
The survey also found that 17% of medical practices outsourced their information security function; none of the hospitals outsourced information security. Only 40% of medical practices used multiple types of controls to manage data access, compared to more than half of the hospitals surveyed. Medical practices were less likely to report that an instance of medical identity theft had occurred within their organization (17%), compared to those working for a hospital (38%).
 
Overall, 33% of respondents said that their organization had at least one known case of medical identity theft. About half of the respondents indicated that their organization spent 3% or less of their IT budget on information security, although federal incentives have increased the level of their security budget compared to 2009.
 
The survey polled 272 healthcare IT and security professionals, with one-quarter of them working for medical practices and the rest working in hospitals.