Hospitals Stepping Up Security Risk Analysis, While Practices Lag

Posted on December 14, 2012 I Written By

Anne Zieger is veteran healthcare branding and communications expert with more than 25 years of industry experience. and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also worked extensively healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or

As hospitals have implemented EMRs, they’ve created a tempting target for criminal hackers, as the goldmine of patient data they house can be very valuable on the black market.  At the same time, patient access to health data has expanded dramatically, expanding possible points of failure.

Aware of these issues, hospitals are almost all conducting an annual security risk analysis, but fewer medical practices are on the bandwagon, according to new research by HIMSS.

Since 2008, HIMSS has conducted an annual security survey of healthcare providers, supported by the Medical Group Management Association and underwritten by Experian Data Breach Resolution. That first year, three-quarters of respondents (largely hospitals) said their organization had conducted an annual risk analysis.

For 2012, a total of 303 individuals completed the HIMSS survey, a self-selected Web-based survey. Those responding had to answer qualifying questions which verified that they were involved directly in working with security at their organization.

This year, a full 90 percent of hospitals reported conducting an annual risk analysis, while just 65 percent of physician practices said that they do so. (I’m actually surprised that so many physician groups are doing any kind of audit, but maybe the respondents came from larger practices.)

What’s really interesting, though, isn’t the mere fact that these organizations are taking their medicine and doing their risk surveys.  Some other highlights of the study:

* Twenty-two percent of respondent reported a security breach in the last year: While scary to contemplate, it’s nonetheless true that both hospitals and medical practices had a one-in-five chance of being breached this year. Most breaches affected less than 500 patients, but providers can’t count on that being the rule.

* Less than half of the hospitals and doctors had tested their data breach response plan:  Auditing your security arrangements is all well and good, but if you’re not sure your data breach plan will actually help you respond to breaches, it’s not worth the (digital) paper it’s written on.

As the pressure mounts to protect EMR data — across patient portals, mobile devices, laptops, desktops and more — let’s hope that physicians catch up with hospitals when it comes to security.  Otherwise, I think 2013 may be remembered as the year big ‘n ugly physician practice break-ins dominated the news.